Device Detect Multiple Failed Remote Logons

//Detect when the same IP attempts to brute force a remote connection or attempts to connect to multiple devices and fails over a short time period //Data connector required for this query - M365 Defender - Device* tables //Microsoft Sentinel query DeviceLogonEvents | where TimeGenerated > ago (1d) | where LogonType == "RemoteInteractive" | where ActionType == "LogonFailed" | summarize ['Count of logon attempts']=count(), ['Count of distinct devices']=dcount(DeviceName), ['List of devices']=make_set(DeviceName) by RemoteIP, bin(TimeGenerated, 1h) | where ['Count of distinct devices'] >= 3 or ['Count of logon attempts'] >= 10 //Advanced Hunting query //Data connector required for this query - Advanced Hunting license DeviceLogonEvents | where Timestamp > ago (1d) | where LogonType == "RemoteInteractive" | where ActionType == "LogonFailed" | summarize ['Count of logon attempts']=count(), ['Count of distinct devices']=dcount(DeviceName), ['List of devices']=make_set(DeviceName) by RemoteIP, bin(Timestamp, 1h) | where ['Count of distinct devices'] >= 3 or ['Count of logon attempts'] >= 10

Explanation

This query detects when the same IP address attempts to brute force a remote connection or fails to connect to multiple devices within a short time period. It uses the M365 Defender - Device* tables as the data source. The query counts the number of logon attempts and the number of distinct devices involved for each IP address. It also creates a list of the devices involved. The query then filters the results to only include IP addresses that have attempted to connect to at least 3 distinct devices or have made at least 10 logon attempts. This query can be used in Microsoft Sentinel or with an Advanced Hunting license.

KQL Search

Device Detect Multiple Failed Remote Logons

Query

Explanation

Details

Actions