Microsoft Sentinel is a great tool to collect logs, but it has a flaws. Once of those flaws is Microsoft has changed the agent it recommends and does a poor job of updating its workbooks and connectors to work with this new agent. In this blog I am going to discuss the queries and the updated workbook you will need to get Insecure Protocols to work with the AMA agent. If you are still running the OMS agent, this is a good guide written by Microsoft on how to upgrade to the AMA Agent. I did not have the traffic to test WDigest SMBv1 or Vulnerable Secure Channel so those might still not function correctly in the workbook.
Insecure Protocol Workbook
The Insecure protocols workbook queries the Microsoft Sentinel logs looking for Kerberos using weak ciphers, LDAP that is not secured with LDAPS, SMBV1, WDigest and insecure NTLM. Using the legacy OMS agent, everything is written to a table named eventlog. With the introduction of the AMA agent, everything is written to the table SecurityEvent.
You will need to write AMA agent data collection rules for Kerberos, LDAP, SMBv1, NTLMv1, WDigest and Insecure Secure Channel. Those queries are listed below. I have also placed the queries on my GitHub site. I also did not have traffic in the logs for NTLMv1 or WDigest or Vulnerable Secure Channel, those queries may need to be tweaked to get those to work.
Security!*[System[(EventID=4678 or EventID=4679]]
Directory Service!*[System[(EventID=2889 or EventID=2887)]]
Vulnerable Secure Channel
System!*[System[(EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830)]]
Once you have the data collection rules written and you are collecting the logs in the SecurityEvent Table, you can use the queries below to ensure that you are collecting data you will need to make the workbook function. You can also use these queries to find the insecure protocols without the workbook. You might not see SMBv1 data as you need to enable advanced auditing to see it. Most modern systems disable SMBv1 by default. If you are running servers older than Server 2016 or if you are unsure if you are running SMBv1, follow this guide to enable auditing. It will also provide information on how to disable SMBv1 if you have it enabled. NTLMv1 will show numerous anonymous authentications, this is normal behavior and is discussed here. It is more than likely coming from the computer browser service, which can be disabled.
| where (EventID == 4768 or EventID == 4769)
| parse EventData with * '"TicketEncryptionType">' TicketEncryptionType '<' *
| where TicketEncryptionType != "0xffffffff"
| parse EventData with * '"IpAddress">' Ip '<' *
| parse EventData with * '"TargetUserName">' TargetUserName '<' *
| parse EventData with * '"ServiceName">' ServiceName '<' *
| extend IPAddress = substring(Ip, 7, 11)
| extend Cipher=replace('0x18$', 'RC4-HMAC-EXP', replace('0x12$', 'AES256-CTS-HMAC-SHA1', replace('0x11$', 'AES128-CTS-HMAC-SHA1', replace('0x1$', 'DES_CBC_CRC', replace('0x2$', 'DES_CBC_MD4', replace('0x7$', 'DES3_CBC_SHA1', replace('0x5$', 'DES3_CBC_MD5', replace('0x3$', 'DES_CBC_MD5', replace('0x17$', 'RC4_HMAC', TicketEncryptionType)))))))))
| project IPAddress, TargetUserName, ServiceName, Cipher, Computer
| where EventID == 2889
| extend EvData = parse_xml(EventData)
| extend IP = tostring(parse_json(tostring(parse_json(tostring(EvData.EventData)).Data)))
| extend AccountName = tostring(parse_json(tostring(parse_json(tostring(EvData.EventData)).Data)))
| where EventID == 3000
| where (EventID == 4624 or EventID == 4776)
| where LmPackageName has "NTLM V1"
|EventID == 4624 or EventID == 4776
Insecure Protocol Workbook
Now that we have the proper data collection rules and you have confirmed you are seeing the events in the SecurityEvent table, you can import this Microsoft Sentinel workbook.
I hope you find this updated workbook helpful in finding Insecure Protocols. Microsoft should also update this workbook to account for a new agent. Let me know if you find this useful.