Forum Discussion
Bruteforce Qurey
Is it the right query to know if some one is trying to brute force attempt with 5 failed login attempts. SecurityEvent | where TimeGenerated >= ago(1d) | where EventID == 4625 | summarize Fail...
There are many ways to achieve this. If it is for AAD then this should work and is generic for any application access that uses AAD accounts.
let timeframe = <set the time frame window>;
let threshold = <set max failures>;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultType in ("50126", "50074")
| summarize min(TimeGenerated), max(TimeGenerated), FailedLogonCount = count() by ResultType, UserDisplayName , UserPrincipalName,AlternateSignInName,IPAddress
| where FailedLogonCount >= threshold
let timeframe = <set the time frame window>;
let threshold = <set max failures>;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultType in ("50126", "50074")
| summarize min(TimeGenerated), max(TimeGenerated), FailedLogonCount = count() by ResultType, UserDisplayName , UserPrincipalName,AlternateSignInName,IPAddress
| where FailedLogonCount >= threshold