Understanding Sentinel Password Spray Data With Copilot For Microsoft 365

//Understanding Sentinel password spray data with Copilot for Microsoft 365 //https://www.linkedin.com/pulse/understanding-sentinel-password-spray-data-copilot-microsoft-lim-i7o3c/ SigninLogs | where TimeGenerated > ago(1d) | where ResultType == "50126" // ResultType == "50053" - Account is locked because user tried to sign in too many times with an incorrect user ID or password. // ResultType == "50053" - Sign-in was blocked because it came from an IP address with malicious activity // ResultType == "50126" - Invalid username or password or Invalid on-premise username or password. | extend City = tostring(LocationDetails.city) | extend State = tostring(LocationDetails.state) | extend Country = tostring(LocationDetails.countryOrRegion) | project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, Country, State, City, AppDisplayName, ClientAppUsed, UserAgent

Explanation

This KQL (Kusto Query Language) query is designed to analyze sign-in logs in Microsoft Sentinel to identify potential password spray attacks. Here's a simple summary of what the query does:

Data Source: It looks at the SigninLogs table.
Time Frame: It filters the logs to only include entries from the last day (TimeGenerated > ago(1d)).
Error Type: It specifically focuses on logs where the ResultType is "50126", which indicates an invalid username or password.
Location Details: It extracts and converts the city, state, and country/region information from the LocationDetails field.
Output: It selects and displays specific columns: TimeGenerated, UserPrincipalName, ResultType, ResultDescription, Country, State, City, AppDisplayName, ClientAppUsed, and UserAgent.

In essence, this query helps you identify failed sign-in attempts due to incorrect usernames or passwords over the past day, along with relevant location and application details.

KQL Search

Understanding Sentinel Password Spray Data With Copilot For Microsoft 365

Query

Explanation

Details

Actions