KQL Search

//When Defender for Cloud Apps detects password spray activity, summarize the impact to your users

//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
//Data connector required for this query - Azure Active Directory - Signin Logs

let failureCodes = dynamic([50053, 50126, 50055]);
let successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);
//Using the Security Alert table find any IP addresses associated with password spray activity. This query looks back 7 days to find alerts as this can be an offline detection, but you can adjust.
//Microsoft Sentinel query
let maliciousip=
    SecurityAlert
    | where TimeGenerated > ago (7d)
    | where AlertName == "Activity from a password-spray associated IP address"
    | mv-expand todynamic(Entities)
    | project TimeGenerated, Entities
    | extend IPAddress = tostring(Entities.Address)
    | where isnotempty(IPAddress)
    | distinct IPAddress;
//Look back in your signin logs the last 30 days and summarize activity from that address
SigninLogs
| where TimeGenerated > ago(30d)
| where IPAddress in (maliciousip)
| summarize
    ['Count of distinct successful sign ins'] = dcountif(UserPrincipalName, (ResultType in(successCodes))),
    ['List of successful users']=make_set_if(UserPrincipalName, (ResultType in(successCodes))),
    ['Successful result codes'] = make_set_if(ResultType, (ResultType in(successCodes))),
    ['Count of distinct failed sign ins'] = dcountif(UserPrincipalName, (ResultType in(failureCodes))),
    ['List of failed users'] = make_set_if(UserPrincipalName, (ResultType in(failureCodes))),
    ['Failed result codes'] = make_set_if(ResultType, (ResultType in(failureCodes)))
    by IPAddress

//Advanced hunting query

//Data connector required for this query - Advanced Hunting license
//Data connector required for this query - Advanced Hunting with Azure AD P2

let failureCodes = dynamic([50053, 50126, 50055]);
let successCodes = dynamic([0, 50055, 50057, 50155, 50105, 50133, 50005, 50076, 50079, 50173, 50158, 50072, 50074, 53003, 53000, 53001, 50129]);
let alertid=
AlertInfo
| where Timestamp > ago(7d)
| where Title == @"Activity from a password-spray associated IP address"
| distinct AlertId;
let maliciousip=
AlertEvidence
| where AlertId in (alertid)
| where EntityType == @"Ip"
| extend AF = parse_json(AdditionalFields)
| extend IPAddress = tostring(AF.Address)
| distinct IPAddress;
AADSignInEventsBeta
| where Timestamp > ago(30d)
| where IPAddress in (maliciousip)
| summarize
    ['Count of distinct successful sign ins'] = dcountif(AccountUpn, (ErrorCode in(successCodes))),
    ['List of successful users']=make_set_if(AccountUpn, (ErrorCode in(successCodes))),
    ['Successful result codes'] = make_set_if(ErrorCode, (ErrorCode in(successCodes))),
    ['Count of distinct failed sign ins'] = dcountif(AccountUpn, (ErrorCode in(failureCodes))),
    ['List of failed users'] = make_set_if(AccountUpn, (ErrorCode in(failureCodes))),
    ['Failed result codes'] = make_set_if(ErrorCode, (ErrorCode in(failureCodes)))
    by IPAddress