kql query for brute force/dictionary attack on a account in apptraces

New Contributor

I've been trying to create a KQL query on this use case. i've come up with the below. is this correct? appreciate suggestions 

 

AppTraces

| where TimeGenerated > ago(365d)

| where Message contains 'has been disabled'

| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)

| distinct username

 

the rule for this logic is - 

In the event there are more login failure than <Nth> for reach respective user during <Nth> period span

1 Reply
If this is going to be a scheduled Rule, remember you can only go back 14days (not 365days)
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#query-scheduling-and-...
I would think you need a summarize and count to get the "Nth" number

Generally you should schedule these to run on the current day or interval, so lets say you configured it to run daily (once every 24hrs); you then only need to look back 1d (or whatever you prefer)

AppTraces
| where TimeGenerated > ago(1d)
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username

Personally I prefer to look back to a know point in time (first record after mid night in this example), using startofday()

AppTraces
| where TimeGenerated > startofday(ago(1d))
| where Message contains 'has been disabled'
| extend username = extract('User with ID ([A-Za-z0-9_-]{1,20})', 1, Message)
| summarize count() by username
| where count_ > 10