diff --git a/README.md b/README.md index 169b3d0..c76499d 100644 --- a/README.md +++ b/README.md @@ -78,6 +78,25 @@ SecurityEvent | project TimeGenerated , Activity , Account ``` +Luis and Heloise are both canary accounts we know and maintain. Let's check on them. + +``` +SecurityEvent +| where EventID == 4624 or EventID == 4625 or EventID == 4776 +| where Account contains "Heloise" or Account contains "luis" +| project Activity, Account, Computer, IpAddress +``` + +Ever seen a password spray in real time logs? + +``` +SecurityEvent +| where EventID == 4625 +| where TimeGenerated > ago(24h) +| summarize Count=count() by bin(TimeGenerated, 1m) +| render timechart +``` + ## Attack Detect Defend - Part 2 (~09/17/24 10:00 AM) ### Slides