Security Alert Unusual Number Of Failed Sign In Attempts
Query
SecurityAlert
| where AlertName has "Unusual number of failed sign-in attempts" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
MachineName = tostring(ExtendedProperties["Machine Name"]),
IPAddress = tostring(ExtendedProperties["IP Address"]),
ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
IPAddresses = make_set_if(IPAddress, isnotempty(IPAddress), 250),
ExtendedLinks = make_set(ExtendedLinks, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), MachineName, ResourceType
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
ResourceType,
StartTime,
EndTime,
MachineName,
IPAddresses,
ExtendedLinks,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL query is designed to analyze security alerts related to unusual numbers of failed sign-in attempts, specifically from the Azure Security Center. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering the
SecurityAlerttable to find alerts with the name "Unusual number of failed sign-in attempts" and generated by "Azure Security Center". -
Summarize Alerts: It uses
arg_minto get the earliest instance of each alert based onSystemAlertId, ensuring that only the first occurrence of each alert is considered. -
Extract Properties: The query extracts specific properties from the
ExtendedPropertiesfield, such asMachineName,IPAddress, andResourceType. -
Clean Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions, likely to simplify the data structure. -
Aggregate Data: The query then aggregates the data:
- Finds the earliest
TimeGeneratedandStartTime, and the latestEndTime. - Collects unique IP addresses, extended links, and alert links.
- Groups entities into a set.
- Selects any available remediation steps, tactics, and techniques.
- Finds the earliest
-
Project Results: Finally, it selects and organizes the relevant fields to display, such as
TimeGenerated,AlertName,AlertSeverity,Description, and others, for easy analysis and reporting.
In summary, this query is used to identify and analyze specific security alerts related to failed sign-in attempts, extract and clean relevant data, and present a summarized view of the alerts with key details.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators