KQL Search

Query Details

HomeAI ToolsDevice Query

Rating ISP To Detect Potential Attacks And IO Cs Source

Query

**Rating ISP to detect potential attacks and IOCs sources**

**Description:** Researching about how to classify ISP based on different factors, I created a query to ISP based on sign-in attempts. It includes, how to monitor or react against possible attacks from a same ISP, use ISP as a new type of IOC (further than IPs, URL, Domains and FileHashes) and others ones explained in detail.

```
IdentityLogonEvents
| where Timestamp > ago(30d)
| summarize Different_IPs=make_set(IPAddress), Total_different_IPs=dcount(IPAddress) ,Total_sign_attempts = count(), Suspicious_Sign_attempt = countif((ActionType has "OldPassword") or (FailureReason has "WrongPassword") or ( FailureReason has "validating credentials due to invalid username or password.") or ( FailureReason has "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.") or (FailureReason has "Authentication failed.") or (FailureReason has "UnknownUser") or ( FailureReason has "The user account is disabled." )),
 Success_Sign_attempt = count( ActionType has "LogonSuccess"),
 Issues_Sign_attempt = countif((FailureReason has "The session is not valid due to password expiration or recent password change.") or ( FailureReason has "General failure")) by ISP, Location
| extend SuspiciousRatio = Suspicious_Sign_attempt * 1.0 / Total_sign_attempts, ValidRatio = Success_Sign_attempt * 1.0 / Total_sign_attempts, IssuesRatio = Issues_Sign_attempt * 1.0 / Total_sign_attempts
| extend SuspiciousPercentage = SuspiciousRatio * 100, ValidPercentage = ValidRatio * 100, IssuesPercentatge = IssuesRatio * 100
| order by SuspiciousPercentage
```

Explanation

This query is designed to analyze sign-in attempts over the past 30 days to identify potentially malicious activity from Internet Service Providers (ISPs). Here's a simplified breakdown of what the query does:

  1. Data Source: It uses the IdentityLogonEvents table, which contains records of sign-in events.

  2. Time Frame: It filters the data to include only events from the last 30 days.

  3. Data Aggregation:

    • It groups the data by ISP and Location.
    • It calculates several metrics for each ISP:
      • Different_IPs: A list of unique IP addresses used for sign-ins.
      • Total_different_IPs: The count of unique IP addresses.
      • Total_sign_attempts: The total number of sign-in attempts.
      • Suspicious_Sign_attempt: The number of sign-in attempts that failed due to reasons suggesting suspicious activity (e.g., wrong password, account locked, unknown user).
      • Success_Sign_attempt: The number of successful sign-ins.
      • Issues_Sign_attempt: The number of sign-in attempts that failed due to issues like password expiration.

  4. Ratios and Percentages:

    • It calculates the ratio and percentage of suspicious, successful, and issue-related sign-in attempts relative to the total sign-in attempts for each ISP.

  5. Sorting: The results are ordered by the percentage of suspicious sign-in attempts, allowing for easy identification of ISPs with potentially malicious activity.

Overall, this query helps in classifying ISPs based on their sign-in activity patterns, identifying those that might be sources of attacks or other security concerns.

Details

Sergio Albea profile picture

Sergio Albea

Released: November 21, 2024

Tables

IdentityLogonEvents

Keywords

IdentityLogonEventsTimestampIPAddressActionTypeFailureReasonISPLocation

Operators

agosummarizemake_setdcountcountcountifhasbyextendorder by

Actions