Query Details

Security Alert Unusual Number Of Failed Sign In Attempts

Query

SecurityAlert
| where AlertName has "Unusual number of failed sign-in attempts" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    MachineName = tostring(ExtendedProperties["Machine Name"]),
    IPAddress = tostring(ExtendedProperties["IP Address"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    IPAddresses = make_set_if(IPAddress, isnotempty(IPAddress), 250),
    ExtendedLinks = make_set(ExtendedLinks, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), MachineName, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    MachineName,
    IPAddresses,
    ExtendedLinks,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL query is designed to analyze security alerts related to unusual numbers of failed sign-in attempts, specifically from the Azure Security Center. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name "Unusual number of failed sign-in attempts" and generated by "Azure Security Center".

  2. Summarize Alerts: It uses arg_min to get the earliest instance of each alert based on SystemAlertId, ensuring that only the first occurrence of each alert is considered.

  3. Extract Properties: The query extracts specific properties from the ExtendedProperties field, such as MachineName, IPAddress, and ResourceType.

  4. Clean Entities: It cleans up the Entities field by removing certain patterns using regular expressions, likely to simplify the data structure.

  5. Aggregate Data: The query then aggregates the data:

    • Finds the earliest TimeGenerated and StartTime, and the latest EndTime.
    • Collects unique IP addresses, extended links, and alert links.
    • Groups entities into a set.
    • Selects any available remediation steps, tactics, and techniques.
  6. Project Results: Finally, it selects and organizes the relevant fields to display, such as TimeGenerated, AlertName, AlertSeverity, Description, and others, for easy analysis and reporting.

In summary, this query is used to identify and analyze specific security alerts related to failed sign-in attempts, extract and clean relevant data, and present a summarized view of the alerts with key details.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterMachineNameIPAddressResourceTypeAlertNameAlertSeverityDescriptionResourceIdTimeGeneratedStartTimeEndTimeRemediationStepsTacticsTechniquesEntities

Operators

wherehasandsummarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_set_ifisnotemptymake_settake_anytolowerproject

Actions

GitHub