cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Hunting Queries/SigninLogs/DisabledAccountSigninAttempts.txt
18lines · modecode
| 1 | // Name: attempts to sign in to disabled accounts - by account name |
| 2 | // |
| 3 | // Id: b00f127c-46fa-40bd-9ab6-b266974d29cc |
| 4 | // |
| 5 | // Description: (failed) attempts to sign in to disabled accounts summarized |
| 6 | // by account name. |
| 7 | // |
| 8 | // DataSource: #SigninLogs |
| 9 | // |
| 10 | // Tactics: #InitialAccess |
| 11 | // |
| 12 | SigninLogs |
| 13 | | where TimeGenerated >= ago(14d) |
| 14 | | where ResultType == "50057" |
| 15 | | where ResultDescription == "User account is disabled. The account has been disabled by an administrator." |
| 16 | | summarize count() by AppDisplayName, UserPrincipalName |
| 17 | | extend AccountCustomEntity = UserPrincipalName |
| 18 | | order by count_ desc |