30 строки
1.4 KiB
YAML
30 строки
1.4 KiB
YAML
id: cf83633e-5dfd-4887-993b-c910452439da
|
|
name: Failed attempt to access Azure Portal
|
|
description: |
|
|
'Access attempts to Azure Portal from an unauthorized user. Either invalid password or the user account does not exist.'
|
|
requiredDataConnectors:
|
|
- connectorId: AzureActiveDirectory
|
|
dataTypes:
|
|
- SigninLogs
|
|
tactics:
|
|
- InitialAccess
|
|
relevantTechniques:
|
|
- T1078
|
|
query: |
|
|
|
|
let timeRange=ago(7d);
|
|
SigninLogs
|
|
| where TimeGenerated >= timeRange
|
|
| where AppDisplayName contains "Azure Portal"
|
|
// 50126 - Invalid username or password, or invalid on-premises username or password.
|
|
// 50020? - The user doesn't exist in the tenant.
|
|
| where ResultType in ( "50126" , "50020")
|
|
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
|
|
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
|
|
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
|
|
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), IPAddresses = makeset(IPAddress), DistinctIPCount = dcount(IPAddress),
|
|
makeset(OS), makeset(Browser), makeset(City), AttemptCount = count()
|
|
by UserDisplayName, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, StatusCode, StatusDetails, Location, State
|
|
| extend timestamp = StartTimeUtc, AccountCustomEntity = UserPrincipalName
|
|
| sort by AttemptCount
|
|
|