Mirrors/marcredhat-kql
1
0
Fork 0
mirror of https://github.com/marcredhat/kql synced 2026-06-08 13:23:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
23cbaa9c08e081cbfa54c7ec8959f1d4fc78d7b4
marcredhat-kql/kql/15_slow_brute_force.kql
T

8 lines
380 B
Plaintext
Raw Blame History

let codes = dynamic([50053,50126,50055,50057,50155,50105,50133,50005,50076,
50079,50173,50158,50072,50074,53003,53000,53001,50129]);
SigninLogs
| where TimeGenerated > ago(1d) | where ResultType in (codes)
| summarize FailedAttempts = count(), UniqueUsers = dcount(UserPrincipalName)
by IPAddress
| where FailedAttempts > 5 and UniqueUsers > 5
Reference in New Issue View Git Blame Copy Permalink