Query Details
AR Brute Force
Query
//Monitor for Brute Force attack SigninLogs | where ResultType == "50126" or ResultType == "50053" | extend IPCustomEntity = IPAddress | extend AccountCustomEntity = UserDisplayName
Explanation
This query is monitoring for brute force attacks by looking at the SigninLogs. It filters the logs for specific ResultTypes that indicate a potential brute force attack. It also creates custom entities for the IP address and user display name for further analysis.
Details
Rod Trent
Released: March 25, 2021
Tables
SigninLogs
Keywords
SigninLogs,ResultType,IPCustomEntity,IPAddress,AccountCustomEntity,UserDisplayName
Operators
whereor==extend