That would be hard to produce without access to your data. I recommend looking at the alert templates in Sentinel and the related GitHub repository. You should be able to find examples for most of these requests (or you may find one of the Azure security tools already meets the need). You should also consider if your Sentinel has the data needed for these scenarios. Brute force is easy enough. Password spray is a little more difficult. Both would likely be part of the Identity Protection solutions like MDI. You might see impossible travel in AAD Identity Protection and Defender for Cloud. That last scenario sounds very similar to Sentinel's multistage attack or Fusion rule.
KQL - suggest logic for NetIQ use cases
Georgi Palazov
286
Reputation points
Hello,
Can someone suggest a KQL logic for the following use cases:
• Brute force attack against user credentials
• Potential Password Spray Attack
• User login from different countries within 3 hours
• Sign-ins from IPs that attempt sign-ins to disabled accounts
I have customer who has NetIQ IDM feeding to Sentinel in CEF - https://www.netiq.com/documentation/edirectory-92/edir_admin/data/t44e7j6b8ufi.html
Thank you!
Accepted answer
-
Andrew Blumhardt 9,871 Reputation points Microsoft Employee
2022-06-29T12:15:44.357+00:00