Query Details
Anomalies Attempted User Account Bruteforce
Query
Anomalies
| where RuleName endswith "Attempted user account bruteforce" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"]),
ExpectedAttemptCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
AttemptCount,
ExpectedAttemptCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinks
Explanation
This query is looking for anomalies related to attempted user account brute force attacks. It filters out any anomalies that are in the "Flighting" status. It then extends the query to include additional information such as the query details, the number of attempted counts, and the expected number of attempts. Finally, it projects several fields including the time generated, rule name, description, query, username, attempt count, expected attempt count, score, anomaly details, entities, tactics, techniques, and extended links.
Details
Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
Anomalies,RuleName,RuleStatus,ExtendedLinks,Query,AttemptCount,AnomalyDetails,TimeGenerated,Description,UserName,ExpectedAttemptCount,Score,Entities,Tactics,Techniques
Operators
whereendswith!=extendtointproject