Bruteforce Qurey

%3CLINGO-SUB%20id%3D%22lingo-sub-2452909%22%20slang%3D%22en-US%22%3EBruteforce%20Qurey%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2452909%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20it%20the%20right%20query%20to%20know%20if%20some%20one%20is%20trying%20to%20brute%20force%20attempt%20with%205%20failed%20login%20attempts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityEvent%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(1d)%3CBR%20%2F%3E%7C%20where%20EventID%20%3D%3D%204625%3CBR%20%2F%3E%7C%20summarize%20FailedLogins%3Dcount(5)%20by%20Account%2C%20Computer%3CBR%20%2F%3E%7C%20sort%20by%20FailedLogins%20desc%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2452987%22%20slang%3D%22en-US%22%3ERe%3A%20Bruteforce%20Qurey%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2452987%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F950513%22%20target%3D%22_blank%22%3E%40Sec%3C%2FA%3E%26nbsp%3BThere%20are%20a%20couple%20of%20Brute%20force%20queries%20available%20OOTB%20that%20you%20can%20use%20as%20a%20baseline.%26nbsp%3B%20For%20instance%2C%20the%20code%20below%20is%20from%20the%20B%3CSTRONG%3Eruce%20force%20attack%20against%20Azure%20Portal%3C%2FSTRONG%3E.%26nbsp%3B%20You%20could%20remove%20the%20line%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%7C%20where%20AppDisplayName%20has%20%22Azure%20Portal%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3Eto%20make%20it%20more%20generic%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Elet%20failureCountThreshold%20%3D%205%3B%0Alet%20successCountThreshold%20%3D%201%3B%0Alet%20authenticationWindow%20%3D%2020m%3B%0Alet%20aadFunc%20%3D%20(tableName%3Astring)%7B%0Atable(tableName)%0A%7C%20extend%20DeviceDetail%20%3D%20todynamic(DeviceDetail)%2C%20Status%20%3D%20todynamic(DeviceDetail)%2C%20LocationDetails%20%3D%20todynamic(LocationDetails)%0A%7C%20extend%20OS%20%3D%20DeviceDetail.operatingSystem%2C%20Browser%20%3D%20DeviceDetail.browser%0A%7C%20extend%20StatusCode%20%3D%20tostring(Status.errorCode)%2C%20StatusDetails%20%3D%20tostring(Status.additionalDetails)%0A%7C%20extend%20State%20%3D%20tostring(LocationDetails.state)%2C%20City%20%3D%20tostring(LocationDetails.city)%2C%20Region%20%3D%20tostring(LocationDetails.countryOrRegion)%0A%7C%20where%20AppDisplayName%20has%20%22Azure%20Portal%22%0A%2F%2F%20Split%20out%20failure%20versus%20non-failure%20types%0A%7C%20extend%20FailureOrSuccess%20%3D%20iff(ResultType%20in%20(%220%22%2C%20%2250125%22%2C%20%2250140%22%2C%20%2270043%22%2C%20%2270044%22)%2C%20%22Success%22%2C%20%22Failure%22)%0A%7C%20summarize%20StartTime%20%3D%20min(TimeGenerated)%2C%20EndTime%20%3D%20max(TimeGenerated)%2C%20IPAddress%20%3D%20make_set(IPAddress)%2C%20make_set(OS)%2C%20make_set(Browser)%2C%20make_set(City)%2C%0Amake_set(State)%2C%20make_set(Region)%2Cmake_set(ResultType)%2C%20FailureCount%20%3D%20countif(FailureOrSuccess%3D%3D%22Failure%22)%2C%20SuccessCount%20%3D%20countif(FailureOrSuccess%3D%3D%22Success%22)%0Aby%20bin(TimeGenerated%2C%20authenticationWindow)%2C%20UserDisplayName%2C%20UserPrincipalName%2C%20AppDisplayName%2C%20Type%0A%7C%20where%20FailureCount%20%26gt%3B%3D%20failureCountThreshold%20and%20SuccessCount%20%26gt%3B%3D%20successCountThreshold%0A%7C%20mvexpand%20IPAddress%0A%7C%20extend%20IPAddress%20%3D%20tostring(IPAddress)%0A%7C%20extend%20timestamp%20%3D%20StartTime%2C%20AccountCustomEntity%20%3D%20UserPrincipalName%2C%20IPCustomEntity%20%3D%20IPAddress%0A%7D%3B%0Alet%20aadSignin%20%3D%20aadFunc(%22SigninLogs%22)%3B%0Alet%20aadNonInt%20%3D%20aadFunc(%22AADNonInteractiveUserSignInLogs%22)%3B%0Aunion%20isfuzzy%3Dtrue%20aadSignin%2C%20aadNonInt%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2453806%22%20slang%3D%22en-US%22%3ERe%3A%20Bruteforce%20Qurey%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2453806%22%20slang%3D%22en-US%22%3EHi%20Gray%20thanks%20for%20your%20response%20but%20i%20am%20looking%20for%20a%20query%20for%20our%20window%20on%20premise%20host%20that%20the%20logs%20are%20coming%20from%20Kaspersky%20through%20syslog%20server%20into%20our%20azure%20sentinel.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2457752%22%20slang%3D%22en-US%22%3ERe%3A%20Bruteforce%20Qurey%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2457752%22%20slang%3D%22en-US%22%3EThere%20are%20many%20ways%20to%20achieve%20this.%20If%20it%20is%20for%20AAD%20then%20this%20should%20work%20and%20is%20generic%20for%20any%20application%20access%20that%20uses%20AAD%20accounts.%3CBR%20%2F%3E%3CBR%20%2F%3Elet%20timeframe%20%3D%20%3CSET%20the%3D%22%22%20time%3D%22%22%20frame%3D%22%22%20window%3D%22%22%3E%3B%3CBR%20%2F%3Elet%20threshold%20%3D%20%3CSET%20max%3D%22%22%20failures%3D%22%22%3E%3B%3CBR%20%2F%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%3D%20ago(timeframe)%3CBR%20%2F%3E%7C%20where%20ResultType%20in%20(%2250126%22%2C%20%2250074%22)%3CBR%20%2F%3E%7C%20summarize%20min(TimeGenerated)%2C%20max(TimeGenerated)%2C%20FailedLogonCount%20%3D%20count()%20by%20ResultType%2C%20UserDisplayName%20%2C%20UserPrincipalName%2CAlternateSignInName%2CIPAddress%3CBR%20%2F%3E%7C%20where%20FailedLogonCount%20%26gt%3B%3D%20threshold%3CBR%20%2F%3E%3C%2FSET%3E%3C%2FSET%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Is it the right query to know if some one is trying to brute force attempt with 5 failed login attempts.

 

SecurityEvent
| where TimeGenerated >= ago(1d)
| where EventID == 4625
| summarize FailedLogins=count(5) by Account, Computer
| sort by FailedLogins desc

2 Replies

@zubairrahimsoc There are a couple of Brute force queries available OOTB that you can use as a baseline.  For instance, the code below is from the Bruce force attack against Azure Portal.  You could remove the line:

| where AppDisplayName has "Azure Portal"

to make it more generic

 

let failureCountThreshold = 5;
let successCountThreshold = 1;
let authenticationWindow = 20m;
let aadFunc = (tableName:string){
table(tableName)
| extend DeviceDetail = todynamic(DeviceDetail), Status = todynamic(DeviceDetail), LocationDetails = todynamic(LocationDetails)
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city), Region = tostring(LocationDetails.countryOrRegion)
| where AppDisplayName has "Azure Portal"
// Split out failure versus non-failure types
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(IPAddress), make_set(OS), make_set(Browser), make_set(City),
make_set(State), make_set(Region),make_set(ResultType), FailureCount = countif(FailureOrSuccess=="Failure"), SuccessCount = countif(FailureOrSuccess=="Success")
by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName, AppDisplayName, Type
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| mvexpand IPAddress
| extend IPAddress = tostring(IPAddress)
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
There are many ways to achieve this. If it is for AAD then this should work and is generic for any application access that uses AAD accounts.

let timeframe = <set the time frame window>;
let threshold = <set max failures>;
SigninLogs
| where TimeGenerated >= ago(timeframe)
| where ResultType in ("50126", "50074")
| summarize min(TimeGenerated), max(TimeGenerated), FailedLogonCount = count() by ResultType, UserDisplayName , UserPrincipalName,AlternateSignInName,IPAddress
| where FailedLogonCount >= threshold