KQL Search

Query Details

HomeAI ToolsDevice Query

Threat Intelligence Data From Sentinel UEBA2

Query

// Threat Intelligence Data from Sentinel UEBA
// https://www.linkedin.com/posts/activity-7216452632528183298-MPGG/

// Are you curious to know which ISP in the world is brute force attacking your Entra tenant the most in the past 90 days? 🤔 If you have Sentinel UEBA enabled, the below KQL query will tell you the answer. I was rather surprised to see my no. 1 brute force attacker ISP when the KQL query gave me answer. 😅

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ISP = tostring(DevicesInsights.ISP)
| extend BruteForcer = tostring(ActivityInsights.UnusualNumberOfDistinctUsersFailedSignInFromIPAddress)
| where BruteForcer == "True"
| where ISP != ""
| summarize Count=count() by ISP
| sort by Count desc

Explanation

This KQL query is designed to identify which Internet Service Provider (ISP) has been performing the most brute force attacks on your Entra tenant over the past 90 days, using data from Microsoft Sentinel's User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown of what the query does:

  1. Select Data: It pulls data from the BehaviorAnalytics table.
  2. Time Filter: It filters the data to include only the last 90 days.
  3. Threat Intelligence Filter: It looks for records that contain threat intelligence indicators.
  4. Extract ISP: It extracts the ISP information from the data.
  5. Identify Brute Force Attacks: It identifies records where there is an unusual number of failed sign-in attempts from the same IP address, indicating a brute force attack.
  6. Filter Out Empty ISP: It removes records where the ISP information is missing.
  7. Count Attacks by ISP: It counts the number of brute force attacks for each ISP.
  8. Sort Results: It sorts the results in descending order to show the ISP with the most brute force attacks at the top.

In summary, this query helps you find out which ISP has been the most aggressive in attempting brute force attacks on your Entra tenant in the last 90 days.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsDevicesInsightsActivity

Operators

|where>agocontainsextendtostring==!=summarizecountbysortdesc

Actions