Query Details
New Brute Force Attacks
Query
let ExcludedIP = dynamic ([ '172.24.1.4' ]); let PreviousFailures = SecurityEvent | where TimeGenerated between (ago(60m) .. ago(10m)) | where EventID == 4625 | where SubStatus != "0xc0000064" | where AccountType != 'Machine' | where IpAddress !in (ExcludedIP) | summarize FailureCount=count() by TargetAccount, IpAddress, bin(TimeGenerated, 50m) | where FailureCount >= 50 | summarize make_set(strcat(TargetAccount, ' ', IpAddress)); SecurityEvent | where TimeGenerated > ago(10m) | where EventID == 4625 | where SubStatus != "0xc0000064" | where AccountType != 'Machine' | where IpAddress !in (ExcludedIP) | summarize FailureCount=count() by TargetAccount, IpAddress, bin(TimeGenerated, 10m) | where FailureCount >= 10 | where strcat(TargetAccount, ' ', IpAddress) !in (PreviousFailures)
Explanation
This query is looking for security events where there have been a high number of failed login attempts. It excludes certain IP addresses and filters for specific event IDs, substatuses, and account types. It then groups the results by target account, IP address, and time generated, and counts the number of failures. It filters for failure counts that meet certain thresholds and creates a set of unique target account and IP address combinations. It then looks for recent security events that meet similar criteria but have not been previously identified as failures.
Details
Rod Trent
Released: July 7, 2020
Tables
SecurityEvent
Keywords
Devices,Intune,User
Operators
wherebetweenago==!=!insummarizecount()bybin>=make_set>strcat!in