KQL Search

Query Details

HomeAI ToolsDevice Query

Access Global Failed Login

Query

//This query detects high severity security alerts from MCAS related to failed logins
SecurityAlert
| where ProviderName == "MCAS"
| where AlertSeverity == "High"
| extend Href_ = tostring(parse_json(ExtendedLinks)[1].Href)
| extend AccountCustomEntity = CompromisedEntity
| extend URLCustomEntity = Href_
| extend FileHashCustomEntity = Description

Explanation

This query is designed to identify high severity security alerts from Microsoft Cloud App Security (MCAS) that are associated with failed login attempts. Here's a breakdown of what the query does:

  1. Data Source: It starts by looking at the SecurityAlert data set.

  2. Filter by Provider: It filters the alerts to only include those generated by "MCAS" (Microsoft Cloud App Security).

  3. Filter by Severity: It further narrows down the results to only include alerts with a "High" severity level.

  4. Extract URL: It extracts a URL from the ExtendedLinks field and assigns it to a new field called Href_.

  5. Map Entities:

    • It maps the CompromisedEntity field to a new field called AccountCustomEntity.
    • It maps the extracted URL (Href_) to a new field called URLCustomEntity.
    • It maps the Description field to a new field called FileHashCustomEntity.

In summary, this query identifies high severity alerts from MCAS related to failed logins and extracts specific details such as a URL and compromised account information for further analysis or investigation.

Details

User Submission profile picture

User Submission

Released: November 10, 2024

Tables

SecurityAlert

Keywords

SecurityAlertMCASAlertSeverityExtendedLinksCompromisedEntityDescription

Operators

==|extendtostring()parse_json()[ ]

Actions