Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Potential Password Spray Attack

RulenamePotential Password Spray Attack
DescriptionThis query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.
Required data connectorsOktaSSO
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Uri Single Sign-On/Analytic Rules/PasswordSpray.yaml
Arm templatee27dd7e5-4367-4c40-a2b7-fcd7e7a8a508.json
Deploy To Azure
let FailureThreshold = 15;
let FailedEvents = OktaSSO
| where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)
| where dcount_actor_alternateId_s > FailureThreshold
| project client_ipAddress_s, TimeGenerated;
| where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m)
| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated
| sort by TimeGenerated desc
| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s
triggerOperator: gt
queryFrequency: 1h
description: |
    'This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.'
status: Available
kind: Scheduled
triggerThreshold: 0
- connectorId: OktaSSO
  - Okta_CL
- connectorId: OktaSSOv2
  - OktaSSO
version: 1.1.0
queryPeriod: 1h
name: Potential Password Spray Attack
OriginalUri: Single Sign-On/Analytic Rules/PasswordSpray.yaml
id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
- CredentialAccess
- T1110
severity: Medium
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
query: |
  let FailureThreshold = 15;
  let FailedEvents = OktaSSO
  | where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
  | summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)
  | where dcount_actor_alternateId_s > FailureThreshold
  | project client_ipAddress_s, TimeGenerated;
  | where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
  | summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m)
  | join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated
  | sort by TimeGenerated desc
  | extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s  
  "$schema": "",
  "contentVersion": "",
  "parameters": {
    "workspace": {
      "type": "String"
  "resources": [
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508')]",
      "properties": {
        "alertRuleTemplateName": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508",
        "customDetails": null,
        "description": "'This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.'\n",
        "displayName": "Potential Password Spray Attack",
        "enabled": true,
        "entityMappings": [
            "entityType": "IP",
            "fieldMappings": [
                "columnName": "IPCustomEntity",
                "identifier": "Address"
        "OriginalUri": " Single Sign-On/Analytic Rules/PasswordSpray.yaml",
        "query": "let FailureThreshold = 15;\nlet FailedEvents = OktaSSO\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOktaSSO\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
        "techniques": [
        "templateVersion": "1.1.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"