Anomalies Attempted User Account Bruteforce
Query
Anomalies
| where RuleName endswith "Attempted user account bruteforce" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"]),
ExpectedAttemptCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
AttemptCount,
ExpectedAttemptCount,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is looking for anomalies related to attempted user account brute force attacks. It filters out any anomalies that are in the "Flighting" status. It then extends the query to include additional information such as the query details, the number of attempted counts, and the expected number of attempts. Finally, it projects several fields including the time generated, rule name, description, query, username, attempt count, expected attempt count, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksQueryAttemptCountAnomalyDetailsTimeGeneratedDescriptionUserNameExpectedAttemptCountScoreEntitiesTacticsTechniques
Operators
whereendswith!=extendtointproject