Azure · InspiraEnterprise · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024 · Sep 20, 2024
@@ -0,0 +1,76 @@
+id: ""
+name: Account Lockout Alert
+description: |
+  'This Kusto Query Language (KQL) script is designed to analyze account lockout events (EventID 4740) over the last 5 working days, focusing on specific working hours (8 PM to 8 AM) in the US/Pacific time zone. The objective is to identify and highlight potential security anomalies where the frequency of lockouts exceeds the normal rate.'
+severity: Medium
+status: Available
+requiredDataConnectors:
+  - connectorId: Windows Security Events via AMA
+    dataTypes:
+      - SecurityEvent
+queryFrequency: 15m
+queryPeriod: 5d
+triggerOperator: GreaterThan
+triggerThreshold: 0
+tactics: [T1110, T1098, T1078]
+relevantTechniques: [Brute Force, Account Manipulation, Valid Accounts]
+query: |
+  let startHour = 20; // Start of the working hours (8 PM)
+  let endHour = 8;  // End of the working hours (8 AM)
+  let workingDays = 5;
+  let endTime = now();
+  let startTime = endTime - 30d; // A sufficiently large range to capture the last 5 working days plus today
+  // Get all days in the range and filter out weekends
+  let allDays = range x from startofday(startTime) to endofday(endTime) step 1d
+      | extend DayOfWeek = dayofweek(x)
+      | where DayOfWeek != 6d and DayOfWeek != 0d; // Exclude weekends
+  // Get the last 5 working days including today
+  let last5WorkingDays = allDays
+      | sort by x desc
+      | take workingDays;
+  // Determine the exact start time for the last 5 working days including today
+  let workingDaysStart = toscalar(last5WorkingDays | summarize min(x));
+  let workingDaysEnd = endTime;
+  // Retrieve and process lockout events
+  let lockouts = 
+      SecurityEvent
+      | extend pacific_dt = datetime_utc_to_local(TimeGenerated, 'US/Pacific') // converting the time zone to US/Pacific Time Zone
+      | extend DayOfWeek = dayofweek(pacific_dt)
+      | where DayOfWeek != 6d and DayOfWeek != 0d // Exclude weekends
+      | where EventID == 4740 // Account lockout event
+      | where pacific_dt between (workingDaysStart .. workingDaysEnd)
+      | extend Time = format_datetime(pacific_dt, "HH")
+      // Handle the time range that crosses midnight
+      | extend hourOfDay = datetime_part("hour", pacific_dt)
+      | where (hourOfDay >= startHour or hourOfDay < endHour)
+      | summarize lockoutCount = count(),TargetUserName = make_set(TargetUserName) by bin(pacific_dt, 1d), hourOfDay, Time;
+  // Calculate the average lockouts per hour over the last 5 working days
+  let rollingAverageLockoutsPerHour = 
+      lockouts
+      | summarize avgLockouts = avg(lockoutCount) by hourOfDay,Time;
+  // Get lockouts by hour for each of the last 5 working days including today
+  let workingDayLockoutsPerHour = 
+      lockouts
+      | summarize dailyLockoutCount = sum(lockoutCount),TargetUserName = make_set(TargetUserName) by bin(pacific_dt, 1d), hourOfDay, Time
+      | project pacific_dt, hourOfDay, dailyLockoutCount, TargetUserName;
+  // Join with the rolling average lockouts per hour
+  workingDayLockoutsPerHour
+  | join kind=inner (rollingAverageLockoutsPerHour) on hourOfDay
+  | extend Time = strcat(format_datetime(pacific_dt, "yyyy-MM-dd"), " ", tostring(Time), ":00")
+  | project Time, dailyLockoutCount, avgLockouts, TargetUserName
+  | order by Time asc
+  | where dailyLockoutCount > avgLockouts * 1.5
+  | render timechart with(title="Account Lock Events")
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: TargetUserName
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride:
+  alertDisplayNameFormat: "Account Lockout Alert: Lockout exceeded threshold"
+  alertDescriptionFormat: 'Lockout events for user {{TargetUserName}} exceeded the expected threshold in the time range {{Time}}.'
+  alertSeverityColumnName: dailyLockoutCount
+version: 1.0.1
+kind: Scheduled
@@ -0,0 +1,103 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/refs/heads/master/Logos/Azure_Sentinel.svg\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Account_Lockout/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis Kusto Query Language (KQL) script is designed to analyze account lockout events (EventID 4740) over the last 5 working days, focusing on specific working hours (8 PM to 8 AM) in the US/Pacific time zone. The objective is to identify and highlight potential security anomalies where the frequency of lockouts exceeds the normal rate.\n\n**Analytic Rules:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "Account Lockout Alert",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This Kusto Query Language (KQL) script is designed to analyze account lockout events (EventID 4740) over the last 5 working days, focusing on specific working hours (8 PM to 8 AM) in the US/Pacific time zone. The objective is to identify and highlight potential security anomalies where the frequency of lockouts exceeds the normal rate."
+                }
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}