kql query for brute force/dictionary attack on a account in apptraces

chetan787 · ‎Jun 27 2021

I've been trying to create a KQL query on this use case. i've come up with the below. is this correct? appreciate suggestions

AppTraces

| where TimeGenerated > ago(365d)

| where Message contains 'has been disabled'

| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)

| distinct username

the rule for this logic is -

In the event there are more login failure than <Nth> for reach respective user during <Nth> period span

CliveWatson · ‎Jun 28 2021

If this is going to be a scheduled Rule, remember you can only go back 14days (not 365days)
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#query-scheduling-and-...
I would think you need a summarize and count to get the "Nth" number

Generally you should schedule these to run on the current day or interval, so lets say you configured it to run daily (once every 24hrs); you then only need to look back 1d (or whatever you prefer)

AppTraces
| where TimeGenerated > ago(1d)
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username

Personally I prefer to look back to a know point in time (first record after mid night in this example), using startofday()

AppTraces
| where TimeGenerated > startofday(ago(1d))
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username
| where count_ > 10

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

kql query for brute force/dictionary attack on a account in apptraces

kql query for brute force/dictionary attack on a account in apptraces

Re: kql query for brute force/dictionary attack on a account in apptraces