KQL query

Question

Hi Team,we want&nbsp; failed attempt with in 5m duration but query is stopped for last line. Please correct me.let threshold=1;let authenticationWindow = 5m;SigninLogs| where UserPrincipalName == "email address removed for privacy reasons"| where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password")| summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName| where FailedAttempt &gt;= ["threshold"]| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), FailedAttempt, UserPrincipalName, AppDisplayName&nbsp;Last line getting error for&nbsp;TimeGenerated

jonhed · Answer

akshay250692&nbsp;&nbsp;&nbsp;| summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName&nbsp;&nbsp;The summarize above does not contain TimeGenerated, so the TimeGenerated field is removed from the results past that. Therefore, you cannot use it at the final line.Try the code below.&nbsp;&nbsp;&nbsp;let threshold=1;
let authenticationWindow = 5m;
let Logs = SigninLogs
| where UserPrincipalName == "email address removed for privacy reasons"
| where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password");
Logs
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, AppDisplayName
| join kind=inner (
	Logs
	| summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName
	| where FailedAttempt &gt;= ["threshold"]
) on UserPrincipalName,AppDisplayName,ResultDescription
| project-away UserPrincipalName1,AppDisplayName1,ResultDescription1&nbsp;&nbsp;&nbsp;

akshay250692 · Answer

Jonhed&nbsp;&nbsp;Still getting error'where' operator: Failed to resolve scalar expression named 'ResultDescription'

jonhed · Answer

akshay250692&nbsp;My bad, was missing a bit.let threshold=1;
let authenticationWindow = 5m;
let Logs = SigninLogs
| where UserPrincipalName == "email address removed for privacy reasons"
| where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password");
Logs
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, ResultDescription, AppDisplayName
| join kind=inner (
	Logs
	| summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName
	| where FailedAttempt &gt;= ["threshold"]
) on UserPrincipalName,AppDisplayName,ResultDescription
| project-away UserPrincipalName1,AppDisplayName1,ResultDescription1

akshay250692 · Answer

Jonhed&nbsp;&nbsp;Thankyou for reply. If i want to add some more field in alert like IPAddress, Location etc.. so where i ahve to edit. could you please edit so i will update again accordingly.

jonhed · Answer

It all depends on what you want the end result to look like and how the filtering is supposed to be done.Chatgpt can also generate KQL queries.

Forum Discussion

KQL query

Share

Resources