This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 39%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Hello,
I want to create KQL query that catches brute force attacks against IIS server.
A this time i have information about successful logins and failed attempts. I want to track information about failed and successful login to IIS server, host, IP, login count etc.
For example - if there was 50 failed sign-in times generate alert and create incident. Or something like this.
Is there some IIS KQL samples?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
This doesn't return anything.
And is there a possibility to define exact return address.
For example if the login is successful it's returns - https://mysite.contoso.com
If login failed then - https://mysite.contosom.com.logon.aspx?returnurl=%2f
How to make query based on this statements?
Thank you!