KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Unusual Number Of Failed Sign In Attempts

Query

SecurityAlert
| where AlertName has "Unusual number of failed sign-in attempts" and ProviderName == "Azure Security Center"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    MachineName = tostring(ExtendedProperties["Machine Name"]),
    IPAddress = tostring(ExtendedProperties["IP Address"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    IPAddresses = make_set_if(IPAddress, isnotempty(IPAddress), 250),
    ExtendedLinks = make_set(ExtendedLinks, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), MachineName, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    MachineName,
    IPAddresses,
    ExtendedLinks,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts from Azure Security Center that have the alert name "Unusual number of failed sign-in attempts". It then extends the properties of the alert, such as machine name, IP address, and resource type. The query also cleans up the entities and summarizes the data by various fields such as alert name, severity, description, resource ID, machine name, and resource type. Finally, it projects the desired fields in the result.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,AzureSecurityCenter,ExtendedProperties,MachineName,IPAddress,resourceType,Entities,replace_regex,TimeGenerated,StartTime,EndTime,IPAddress,make_set_if,isnotempty,ExtendedLinks,AlertLink,RemediationSteps,Tactics,Techniques,AlertSeverity,Description,ResourceId,take_any,project

Operators

has==extendtostringreplace_regexsummarizeminmaxmake_set_ifisnotemptymake_settodynamictake_anybyproject

Actions