Malicious ISP Detection
Query
//This query identifies ISPs with only failed sign-in attempts
//Helps detect potentially malicious ISPs and associated IPs
//Configurable threshold for minimum number of failed attempts
IdentityLogonEvents
| where Timestamp > ago(30d)
| project ISP, Location, IPAddress, FailureReason
| summarize valid = countif(isempty(FailureReason) or FailureReason contains "Success"), failure = countif( isnotempty(FailureReason) and FailureReason !contains "Success"), make_set(IPAddress) by ISP, Location
| order by failure
| where valid == 0 and failure > 5Explanation
This query is designed to identify Internet Service Providers (ISPs) that have only experienced failed sign-in attempts over the past 30 days. It helps in detecting potentially malicious ISPs and their associated IP addresses. Here's a breakdown of what the query does:
- Data Source: It starts by looking at the
IdentityLogonEventstable. - Time Frame: It filters the data to include only events from the last 30 days.
- Data Selection: It selects (or projects) the columns for ISP, Location, IPAddress, and FailureReason.
- Summarization: It summarizes the data by counting:
valid: The number of successful sign-ins (whereFailureReasonis empty or contains "Success").failure: The number of failed sign-ins (whereFailureReasonis not empty and does not contain "Success").- It also collects a set of unique IP addresses associated with each ISP and Location.
- Ordering: It orders the results by the number of failed attempts.
- Filtering: It filters the results to show only those ISPs where:
- There are no successful sign-ins (
valid == 0). - There are more than 5 failed sign-in attempts (
failure > 5).
- There are no successful sign-ins (
In simple terms, this query finds ISPs that have only failed login attempts, with more than five failures, to help identify suspicious activity.
Details

Sergio Albea
Released: November 10, 2024
Tables
IdentityLogonEvents
Keywords
IdentityLogonEventsISPLocationIPAddressFailureReason
Operators
agoprojectsummarizecountifisemptycontainsisnotempty!containsmake_setorder bywhere