Create sentinel query

rahul haridas 0 Reputation points
2023-05-31T18:17:41.86+00:00

Hi Please assist in creating a sentinel query for multiple login failures followed by a success for a user on a host in 1 hour duration. Here let say threshold is 15 . So the query should look for 16 failures followed by 1 success.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,057 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Clive Watson 5,951 Reputation points MVP
    2023-06-01T08:26:37.4433333+00:00

    You should be able to adapt a query like this one to your needs, personally I wouldn't limit the failures to a count (but I dont know your full use case).

    https://github.com/reprise99/Sentinel-Queries/blob/75f8b10d5c95a1b21e10c55e6c1d66bae01cf86f/Azure%20Active%20Directory/Identity-RiskyMFARequirementfollowedbyMFAregistration.kql#L1