seamustuohy/stronium-2020-08.MTP

## stronium-2020-08.MTP
// STRONTIUM: Detecting new patterns in credential harvesting
// https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
// Microsoft Threat Protection (MTP) Query
// Thanks Microsoft for not providing your own plain text version! I loved writing this from an image.
IdentityLogonEvents
| where Timestamp > ago(30d)
| where ActionType == "LogonFailed"
| where IPAddress startswith "185.220.101." or IPAddress startswith "199.249.230." or IPAddress startswith "23.129.64." or  IPAddress startswith "109.70.100." or  IPAddress startswith "185.220.102."
| summarize authAttempts=dcount(Timestamp), firstAttempt=min(Timestamp), lastAttempt=max(Timestamp),uniqueIPs=dcount(IPAddress), uniqueAccounts=dcount(AccountObjectId),attemptedAccounts=make_set(AccountObjectId) by DeviceType, OSPlatform
| sort by uniqueAccounts
	// STRONTIUM: Detecting new patterns in credential harvesting
	// https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/
	// Microsoft Threat Protection (MTP) Query
	// Thanks Microsoft for not providing your own plain text version! I loved writing this from an image.
	IdentityLogonEvents
	\| where Timestamp > ago(30d)
	\| where ActionType == "LogonFailed"
	\| where IPAddress startswith "185.220.101." or IPAddress startswith "199.249.230." or IPAddress startswith "23.129.64." or IPAddress startswith "109.70.100." or IPAddress startswith "185.220.102."
	\| summarize authAttempts=dcount(Timestamp), firstAttempt=min(Timestamp), lastAttempt=max(Timestamp),uniqueIPs=dcount(IPAddress), uniqueAccounts=dcount(AccountObjectId),attemptedAccounts=make_set(AccountObjectId) by DeviceType, OSPlatform
	\| sort by uniqueAccounts