重复登录失败后监视成功登录 [英] Monitoring successful sign-ins following repeated sign-in failures

问题描述

我想使用Azure Log Analytics为用户帐户上可能发生的强行尝试创建监视警报.也就是说，我希望在Azure收到通知(或者至少能够手动运行脚本以获取数据) 多次尝试失败后，用户的帐户便成功通过了O365的身份验证.

I'd like to use Azure Log Analytics to create a monitoring alert for possible brute-force attempts on my users' accounts. That is to say, I'd like to be notified by Azure (or, at the very least, be able to manually run the script to obtain the data) when a user's account is successfully authenticated into O365 following a number of failed attempts.

我知道如何解析日志，例如，获取在定义的时间内所有用户未成功登录的尝试次数(请参见以下示例):

I know how to parse the logs to, for example, obtain the number of unsuccessful sign-in attempts by all users during a defined period (see the example below):

SigninLogs
| where TimeGenerated between(datetime("2018-11-19 00:00:00") .. datetime("2018-11-19 23:59:59")) 
| where ResultType == "50074"
| summarize FailedSigninCount = count() by UserDisplayName 
| sort by FailedSigninCount desc

但是我不知道如何编写以下内容:

But I don't know how to script the following:

• 用户创建了9次失败的登录尝试(类型50074)，并且创建了成功的登录尝试.
• 在60秒内.
>

• A user has created 9 unsuccessful sign-in attempts (type 50074) and created a successful sign-in attempt.
• Within a 60-second period.

将不胜感激地收到任何帮助.

Any help would be gratefully received.

推荐答案

您好，Oliver，

Hi Oliver,

在内部跟一些我的Log Analytics工程师进行跟进.回复后会更新.

Following up internally with a few of my Log analytics engineers. Will update once I have a response.

感谢您的耐心等候.

这篇关于重复登录失败后监视成功登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！