KQL - suggest logic for NetIQ use cases

Georgi Palazov 286 Reputation points


Can someone suggest a KQL logic for the following use cases:

• Brute force attack against user credentials
• Potential Password Spray Attack
• User login from different countries within 3 hours
• Sign-ins from IPs that attempt sign-ins to disabled accounts

I have customer who has NetIQ IDM feeding to Sentinel in CEF - https://www.netiq.com/documentation/edirectory-92/edir_admin/data/t44e7j6b8ufi.html

Thank you!

Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
479 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
971 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 9,491 Reputation points Microsoft Employee

    That would be hard to produce without access to your data. I recommend looking at the alert templates in Sentinel and the related GitHub repository. You should be able to find examples for most of these requests (or you may find one of the Azure security tools already meets the need). You should also consider if your Sentinel has the data needed for these scenarios. Brute force is easy enough. Password spray is a little more difficult. Both would likely be part of the Identity Protection solutions like MDI. You might see impossible travel in AAD Identity Protection and Defender for Cloud. That last scenario sounds very similar to Sentinel's multistage attack or Fusion rule.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful