23 строки
815 B
YAML
23 строки
815 B
YAML
id: b00f127c-46fa-40bd-9ab6-b266974d29cc
|
|
name: Attempts to sign in to disabled accounts by account name
|
|
description: |
|
|
'Failed attempts to sign in to disabled accounts summarized by account name'
|
|
requiredDataConnectors:
|
|
- connectorId: AzureActiveDirectory
|
|
dataTypes:
|
|
- SigninLogs
|
|
tactics:
|
|
- InitialAccess
|
|
relevantTechniques:
|
|
- T1078
|
|
query: |
|
|
|
|
let timeRange = 14d;
|
|
SigninLogs
|
|
| where TimeGenerated >= ago(timeRange)
|
|
| where ResultType == "50057"
|
|
| where ResultDescription == "User account is disabled. The account has been disabled by an administrator."
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), count() by AppDisplayName, UserPrincipalName
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName
|
|
| order by count_ desc
|
|
|