AR Brute Force
Query
//Monitor for Brute Force attack
SigninLogs
| where ResultType == "50126" or ResultType == "50053"
| extend IPCustomEntity = IPAddress
| extend AccountCustomEntity = UserDisplayNameExplanation
This query is monitoring for brute force attacks by looking at the SigninLogs. It filters the logs for specific ResultTypes that indicate a potential brute force attack. It also creates custom entities for the IP address and user display name for further analysis.
Details

Rod Trent
Released: March 25, 2021
Tables
SigninLogs
Keywords
SigninLogsResultTypeIPCustomEntityIPAddressAccountCustomEntityUserDisplayName
Operators
whereor==extend