How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

In August, we released security updates to resolve a vulnerability (CVE-2020-1472) for all affected systems. With August or September security updates deployed, Domain, Trust and Windows machine accounts will be protected.

However, for those organizations that want to monitor for those systems that are either compliant or non-compliant – and find those systems that might have been missed – you can use Azure Sentinel and the following KQL query to do that:

//Choose which to track (compliance or non-compliance) and remove the comment
//Based on

| join Heartbeat on Computer
//| where EventID == "5829" //Tracking NetLogon Non-Compliance
//| where EventID == "5827" or EventID == "5828" //Tracking NetLogon Compliance
| distinct Computer, OSType, OSMajorVersion, Version

As noted in the comment section of the KQL query, this is based on

NOTE: For Azure Sentinel this requires that the Security Event Data Connector is enabled and the Log Analytics agent (now called ‘Azure Monitor agent’) is installed on the remote systems. It also requires that you enable the agent collection of the System event log. You do this by modifying the Advanced settings => Data => Windows Events Logs for the Log Analytics workspace for Azure Sentinel.

Enable System event log agent collection

You can always get the most current version of this KQL query from my GitHub repo:

P.S. You can also use this query to develop an Analytics Rule that would generate an Alert/Incident when non-compliant systems are located. Or, consider developing a Workbook with the query that will allow you to track the systems that need to be updated and those that have addressed.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]


One thought on “How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel