Visualize Entra Password Spray Attack with ADX Interactive Map

On my 28th Dec 2023 Linkedin post, I shared about adversary commencing password spray on my Entra tenant on boxing day with one Azure Sentinel chart screenshot (top picture) and one Azure Data Explorer (ADX) screenshot (bottom picture).

For those interested in visualizing password spray attack on the top picture chart, you can use the below KQL and view in "Chart" mode.

SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == "50053" or ResultType == "50126"
| summarize PasswordSpray_Per_HalfHour=count() by bin (TimeGenerated, 30m)        

For those interested in visualizing password spray attack locations from a world map (similar to my Dec post), you can follow below recent Microsoft blog instructions:

Visualize Entra Sign-in Logs using an Interactive Map (By Timur Engin - Published Jan 16 2024)

https://techcommunity.microsoft.com/t5/microsoft-entra-blog/visualize-entra-sign-in-logs-using-an-interactive-map/ba-p/4013853

Replace the above blog's KQL with the below KQL to visualize Password Spray Attack locations.

 SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == "50053" or ResultType == "50126"
| where isnotempty(LocationDetails.geoCoordinates)
| extend Latitude = toreal(LocationDetails.geoCoordinates["latitude"])
| extend Longitude = toreal(LocationDetails.geoCoordinates["longitude"])
| summarize Count = count() by Longitude, Latitude
| project Longitude, Latitude, Count
| render scatterchart with (kind=map)        

By building such attack interactive map, it will give your SecOps team a good visualization of your spray attack and possibly implementing geo-fencing conditional access block on certain attack network group to mitigate the attack risk if necessary.

#cybersecurity #cyberattack #passwordspray #cyberwar #cyberlandscape #sentinel #ADX