AR Brute Force
Query
//Monitor for Brute Force attack
SigninLogs
| where ResultType == "50126" or ResultType == "50053"
| extend IPCustomEntity = IPAddress
| extend AccountCustomEntity = UserDisplayNameExplanation
This query looks at the SigninLogs to monitor for a Brute Force attack by filtering for specific ResultTypes and extending the entities for IP address and user display name.
Details

Rod Trent
Released: March 8, 2024
Tables
SigninLogs
Keywords
SigninLogsBruteForceAttackIPCustomEntityAccountCustomEntityUserDisplayName
Operators
where==orextend