@Eduards Give this a try : https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/Potential_IIS_BF.yaml
Azure Sentinel - IIS brute force tracking
Eduards
791
Reputation points
Hello,
I want to create KQL query that catches brute force attacks against IIS server.
A this time i have information about successful logins and failed attempts. I want to track information about failed and successful login to IIS server, host, IP, login count etc.
For example - if there was 50 failed sign-in times generate alert and create incident. Or something like this.
Is there some IIS KQL samples?
Accepted answer
-
VipulSparsh-MSFT 16,271 Reputation points Microsoft Employee
2021-02-01T12:24:17.183+00:00