Thanks for doing this work its been really helpful in detecting old protocols. I had some some issues with the XML, for LDAP dashboard the IPs weren't showing up, few other errors. Linked my XML for anyone who might find it useful.
I also modified some of the collection rules to try and minimise the amount of data going into Sentinel.
ForwardedEvents![System[(EventID=2889 or EventID=2887)]]
ForwardedEvents![System[(EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830)]]
ForwardedEvents![System[(EventID=3000)]]
ForwardedEvents![System[(EventID=4768 or EventID=4769)] and EventData[Data[@Name='TicketEncryptionType'] != '0x12' and Data[@Name='TicketEncryptionType'] != '0xFFFFFFFF' and Data[@Name='TicketEncryptionType'] != '0x11']]
ForwardedEvents![System[(EventID=4624)] and EventData[Data[@Name='AuthenticationPackageName'] = 'NTLM' and Data[@Name='LmPackageName'] = 'NTLM V1' and Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
ForwardedEvents![System[(EventID=4776)] and EventData[Data[@Name='PackageName'] = 'WDigest']]
ForwardedEvents!*[System[(EventID=4624)] and EventData[Data[@Name='AuthenticationPackageName'] = 'WDigest' ]]
I don't have any WDigest, AAD Legacy Auth or Vulnerable Secure Channel so can't tell if they are working.
Thanks for doing this work its been really helpful in detecting old protocols. I had some some issues with the XML, for LDAP dashboard the IPs weren't showing up, few other errors. Linked my XML for anyone who might find it useful.
Updated XML
I also modified some of the collection rules to try and minimise the amount of data going into Sentinel. ForwardedEvents![System[(EventID=2889 or EventID=2887)]] ForwardedEvents![System[(EventID=5827 or EventID=5828 or EventID=5829 or EventID=5830)]] ForwardedEvents![System[(EventID=3000)]] ForwardedEvents![System[(EventID=4768 or EventID=4769)] and EventData[Data[@Name='TicketEncryptionType'] != '0x12' and Data[@Name='TicketEncryptionType'] != '0xFFFFFFFF' and Data[@Name='TicketEncryptionType'] != '0x11']] ForwardedEvents![System[(EventID=4624)] and EventData[Data[@Name='AuthenticationPackageName'] = 'NTLM' and Data[@Name='LmPackageName'] = 'NTLM V1' and Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']] ForwardedEvents![System[(EventID=4776)] and EventData[Data[@Name='PackageName'] = 'WDigest']] ForwardedEvents!*[System[(EventID=4624)] and EventData[Data[@Name='AuthenticationPackageName'] = 'WDigest' ]]
I don't have any WDigest, AAD Legacy Auth or Vulnerable Secure Channel so can't tell if they are working.