Brute force cyber attacks account for 5% of security breaches on governments, businesses, organizations, and private individuals. The actors are getting more an more clever in their techniques so you want to catch these attempts. You can detect this brute force attempt by monitoring Active Directory data for a high number of failed login attempts within a period of time.
In this lab you will detect a brute force hacking technique used to find out the user credentials by applying both conditional statements and advanced filtering capabilities.
Create a brute force attack query
- Click +New, and select Log Search. Paste the query below into the query builder. Change your time to Last 30 days and then click Start.
| json field=_raw "operationName"
| where %operationName = "Sign-in activity"
| json field=_raw "resultType"
| json field=_raw "properties.userPrincipalName" as identity
| if(resultType = "0",1,0) as success_count
| if(resultType = "1",1,0) as failure_count
| timeslice 5m
| sum(success_count) as Success, sum(failure_count) as Failure by identity,_timeslice
| where Success > 0 AND Failure > 8
| sort by _timeslice desc
| top 1 identity,_timeslice,Success,Failure
| fields - _count
- Save this query as Potential Brute force Attacks and publish the table to the Dashboard that we created back in Lab 2.
- This will save the new panel into your dashboard that is in your personal folder and also open the dashboard. We will come back to this dashboard to add other queries.