Access Global Failed Login
Query
//This query detects high severity security alerts from MCAS related to failed logins
SecurityAlert
| where ProviderName == "MCAS"
| where AlertSeverity == "High"
| extend Href_ = tostring(parse_json(ExtendedLinks)[1].Href)
| extend AccountCustomEntity = CompromisedEntity
| extend URLCustomEntity = Href_
| extend FileHashCustomEntity = DescriptionExplanation
This query is designed to identify high severity security alerts from Microsoft Cloud App Security (MCAS) that are associated with failed login attempts. Here's a breakdown of what the query does:
-
Data Source: It starts by looking at the
SecurityAlertdata set. -
Filter by Provider: It filters the alerts to only include those generated by "MCAS" (Microsoft Cloud App Security).
-
Filter by Severity: It further narrows down the results to only include alerts with a "High" severity level.
-
Extract URL: It extracts a URL from the
ExtendedLinksfield and assigns it to a new field calledHref_. -
Map Entities:
- It maps the
CompromisedEntityfield to a new field calledAccountCustomEntity. - It maps the extracted URL (
Href_) to a new field calledURLCustomEntity. - It maps the
Descriptionfield to a new field calledFileHashCustomEntity.
- It maps the
In summary, this query identifies high severity alerts from MCAS related to failed logins and extracts specific details such as a URL and compromised account information for further analysis or investigation.
Details

User Submission
Released: November 10, 2024
Tables
Keywords
Operators