Query Details
AR Brute Force
Query
//Monitor for Brute Force attack SigninLogs | where ResultType == "50126" or ResultType == "50053" | extend IPCustomEntity = IPAddress | extend AccountCustomEntity = UserDisplayName
Explanation
This query looks at the SigninLogs to monitor for a Brute Force attack by filtering for specific ResultTypes and extending the entities for IP address and user display name.
Details
Rod Trent
Released: March 8, 2024
Tables
SigninLogs
Keywords
SigninLogs,Brute,Force,Attack,IPCustomEntity,AccountCustomEntity,UserDisplayName
Operators
where==orextend