How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

In August, we released security updates to resolve a vulnerability (CVE-2020-1472) for all affected systems. With August or September security updates deployed, Domain, Trust and Windows machine accounts will be protected.

However, for those organizations that want to monitor for those systems that are either compliant or non-compliant – and find those systems that might have been missed – you can use Azure Sentinel and the following KQL query to do that:

//Choose which to track (compliance or non-compliance) and remove the comment
//Based on https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

SecurityEvent
| join Heartbeat on Computer
//| where EventID == "5829" //Tracking NetLogon Non-Compliance
//| where EventID == "5827" or EventID == "5828" //Tracking NetLogon Compliance
| distinct Computer, OSType, OSMajorVersion, Version

As noted in the comment section of the KQL query, this is based on https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

NOTE: For Azure Sentinel this requires that the Security Event Data Connector is enabled and the Log Analytics agent (now called ‘Azure Monitor agent’) is installed on the remote systems.

You can always get the most current version of this KQL query from my GitHub repo: https://github.com/rod-trent/SentinelKQL/blob/master/NetLogonPatchCompliance.txt

P.S. You can also use this query to develop an Analytics Rule that would generate an Alert/Incident when non-compliant systems are located. Or, consider developing a Workbook with the query that will allow you to track the systems that need to be updated and those that have addressed.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

Authors

One thought on “How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel