Query Details
Visualize Entra Password Spray Attack With ADX Interactive Map
Query
//Visualize Entra Password Spray Attack with ADX Interactive Map //https://www.linkedin.com/pulse/visualize-entra-password-spray-attack-adx-interactive-steven-lim-dfonc/ //For those interested in visualizing password spray attack on the top picture chart, you can use the below KQL and view in "Chart" mode. SigninLogs | where TimeGenerated > ago(7d) | where ResultType == "50053" or ResultType == "50126" | summarize PasswordSpray_Per_HalfHour=count() by bin (TimeGenerated, 30m) //Replace the above blog's KQL with the below KQL to visualize Password Spray Attack locations. SigninLogs | where TimeGenerated > ago(7d) | where ResultType == "50053" or ResultType == "50126" | where isnotempty(LocationDetails.geoCoordinates) | extend Latitude = toreal(LocationDetails.geoCoordinates["latitude"]) | extend Longitude = toreal(LocationDetails.geoCoordinates["longitude"]) | summarize Count = count() by Longitude, Latitude | project Longitude, Latitude, Count | render scatterchart with (kind=map)
Explanation
This query is designed to visualize password spray attacks using data from SigninLogs. Here's a simple summary:
-
Filter Data: It looks at login attempts from the past 7 days (
TimeGenerated > ago(7d)) and filters for specific failed login result types (ResultType == "50053"orResultType == "50126"). -
Extract Location Data: It further filters for logs that have geographical coordinates (
isnotempty(LocationDetails.geoCoordinates)), and extracts the latitude and longitude from these coordinates. -
Count and Visualize: It counts the number of attacks at each location (longitude and latitude) and then visualizes this data on a map using a scatter chart.
In essence, this query helps you see where password spray attacks are happening geographically over the past week.
Details
Steven Lim
Released: August 2, 2024
Tables
Keywords
Operators