Anomalies Attempted User Account Bruteforce Per Failure Reason
Query
Anomalies
| where RuleName endswith "Attempted user account bruteforce per failure reason" and RuleStatus != "Flighting"
| extend
Query = ExtendedLinks[0]["DetailBladeInputs"],
AttemptCount = toint(AnomalyDetails["Observables"][0]["Value"]),
ExpectedAttemptCount = toint(AnomalyDetails["Observables"][0]["TypicalObservations"]["Expected count"]),
FailureReason = tostring(AnomalyDetails["Observables"][1]["Value"])
| project
TimeGenerated,
RuleName,
Description,
Query,
UserName,
AttemptCount,
ExpectedAttemptCount,
FailureReason,
Score,
AnomalyDetails,
Entities,
Tactics,
Techniques,
ExtendedLinksExplanation
This query is filtering anomalies based on a specific rule name and rule status. It then extends the query by extracting specific values from the anomaly details. Finally, it projects a set of fields including time generated, rule name, description, query, username, attempt count, expected attempt count, failure reason, score, anomaly details, entities, tactics, techniques, and extended links.
Details

Jose Sebastián Canós
Released: December 15, 2022
Tables
Anomalies
Keywords
AnomaliesRuleNameRuleStatusExtendedLinksQueryAttemptCountAnomalyDetailsFailureReasonTimeGeneratedDescriptionUserNameScoreEntitiesTacticsTechniques
Operators
whereendswith!=extendtointtostringproject