Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Back
Ida1bddaf8-982b-4089-ba9e-6590dfcf80ea
RulenameExcessive number of HTTP authentication failures from a source (ASIM Web Session schema)
DescriptionThis rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a brute force or credential stuffing attack.

This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.
SeverityLow
TacticsPersistence
CredentialAccess
TechniquesT1110
T1556
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
Version1.0.5
Arm templatea1bddaf8-982b-4089-ba9e-6590dfcf80ea.json
Deploy To Azure
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])

severity: Low
relevantTechniques:
- T1110
- T1556
customDetails:
  NumberOfErrors: NumberOfErrors
queryFrequency: 1d
kind: Scheduled
version: 1.0.5
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Yaron
  source:
    kind: Community
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
triggerOperator: gt
description: |
  This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
  This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.  
queryPeriod: 1d
query: |
  let error403_count_threshold=200;
  _Im_WebSession(eventresultdetails_in=dynamic(["403"]))
  | extend ParsedUrl=parse_url(Url)
  | extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
  | where NumberOfErrors > error403_count_threshold
  | sort by NumberOfErrors desc
  | extend Url=tostring(Urls[0])  
alertDetailsOverride:
  alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
  alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
entityMappings:
- entityType: URL
  fieldMappings:
  - columnName: Url
    identifier: Url
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
tactics:
- Persistence
- CredentialAccess
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
  ParentVersion: 1.1.0
- Schema: ASIMWebSession
  SchemaVersion: 0.2.1
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.",
          "alertDisplayNameFormat": "Excessive number of HTTP authentication failures from {{SrcIpAddr}"
        },
        "alertRuleTemplateName": "a1bddaf8-982b-4089-ba9e-6590dfcf80ea",
        "customDetails": {
          "NumberOfErrors": "NumberOfErrors"
        },
        "description": "This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\n",
        "displayName": "Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml",
        "query": "let error403_count_threshold=200;\n_Im_WebSession(eventresultdetails_in=dynamic([\"403\"]))\n| extend ParsedUrl=parse_url(Url)\n| extend UrlHost=tostring(ParsedUrl[\"Host\"]), UrlSchema=tostring(ParsedUrl[\"Schema\"])\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\n| where NumberOfErrors > error403_count_threshold\n| sort by NumberOfErrors desc\n| extend Url=tostring(Urls[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml",
            "ParentVersion": "1.1.0"
          },
          {
            "Schema": "ASIMWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}