Applied KQL

Helping others get things done using Kusto Query Language (KQL).

KQL query: Identify brute force attacks or invalid credential usage attempts

by

Identifying brute force attack targets or invalid credential usage - Copilot Designer
Identifying brute force attack targets or invalid credential usage – Copilot Designer

List user accounts with repeated logon failures to identify possible targets of brute force attacks or invalid credential usage attempts.

Prerequisites for using this KQL query

The Microsoft Defender for Identity Domain controller Sensor should be installed on your domain controllers if you want Active Directory logon failures. Perform query using Microsoft Defender > Hunting > Advanced hunting.

KQL query to identify brute force attacks or invalid credential usage attempts

IdentityLogonEvents 
| where ActionType == "LogonFailed"
| summarize count() by AccountName, DeviceName, LogonType, Protocol, FailureReason
| where count_ > 5
| sort by count_

Deconstructing the KQL query

Read on to understand HOW the query above works.

The purpose of this query is to understand which accounts, devices, and protocols are experiencing the most logon failures. By filtering, summarizing, and sorting the data, we’ll gain insights into the patterns of failed logon attempts. We can then investigate further into accounts of interest.

IdentityLogonEvents

This is the dataset we’re querying. It contains information about authentication activities related to both on-premises Active Directory (captured by Microsoft Defender for Identity) and Microsoft online services (captured by Microsoft Defender for Cloud Apps).

| where ActionType == "LogonFailed"

We’re only interested in failed logon attempts, so we start by filtering the events to include only those where the ActionType is “LogonFailed”.

| summarize count() by AccountName, DeviceName, LogonType, Protocol, FailureReason

Next, we summarize the data. Here’s what we’re doing:

  • Grouping the events by several fields:
    • AccountName: The user account attempting the logon.
    • DeviceName: The device involved in the logon attempt (if applicable).
    • LogonType: The type of logon session (will vary depending on source Application).
    • Protocol: The network protocol used for authentication (if applicable).
    • FailureReason: The reason why the logon failed.
  • The count() function calculates the number of occurrences for each combination of these fields.
| where count_ > 5

After summarizing, we filter the results further. We keep only those combinations where the count of logon failures (count_) is greater than 5. This helps us focus on significant patterns. You can adjust the threshold limit as well as adjust the time range that you search over to further narrow your results.

| sort by count_

Finally, we sort the summarized results in ascending order based on the count_ column. This way, we’ll see the most frequent logon failures at the top.

Reference