Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Cross-Cloud Password Spray detection

Back
Id1f40ed57-f54b-462f-906a-ac3a89cc90d4
RulenameCross-Cloud Password Spray detection
DescriptionThis detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAWS
AzureActiveDirectory
BehaviorAnalytics
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml
Version1.0.1
Arm template1f40ed57-f54b-462f-906a-ac3a89cc90d4.json
Deploy To Azure
// Materialize a table named "Azure_Bruforce" containing Azure Portal sign-in logs within the last 1 day
let Azure_Bruforce =  materialize (
    SigninLogs
// Filter sign-in logs related to the Azure Portal
      | where AppDisplayName == "Azure Portal"
// Exclude entries with empty OriginalRequestId
    | where isnotempty(OriginalRequestId)
// Summarize various counts and sets based on brute force criteria
    | summarize 
      AzureSuccessfulEvent = countif(ResultType == 0), 
      AzureFailedEvent = countif(ResultType != 0), 
      totalAzureLoginEventId = dcount(OriginalRequestId), 
      AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), 
      AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),
      AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5), 
      AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5) 
      by 
      IPAddress, 
      UserPrincipalName, 
      bin(TimeGenerated, 1min), 
      UserAgent,
      ConditionalAccessStatus,
      OperationName,
      RiskDetail,
      AuthenticationRequirement,
      ClientAppUsed
// Extracting the name and UPN suffix from UserPrincipalName
    | extend
        Name = tostring(split(UserPrincipalName, '@')[0]),
        UPNSuffix = tostring(split(UserPrincipalName, '@')[1]));
// Materialize a table named "AWS_Bruforce" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day
let AWS_Bruforce = materialize (
    AWSCloudTrail 
// Filter CloudTrail events related to ConsoleLogin
    | where EventName == "ConsoleLogin" 
// Extract ActionType from ResponseElements JSON
    | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin)  
// Summarize various counts and sets based on  brute force criteria 
    | summarize 
        AWSSuccessful=countif(ActionType == "Success"), 
        AWSFailed = countif(ActionType == "Failure"), 
        totalAwsEventId= dcount(AwsEventId), 
        AWSFailedEventsCount = dcountif(AwsEventId, ActionType == "Failure"), 
        AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == "Success"), 
        AWSFailedevents = makeset(iff(ActionType == "Failure", AwsEventId, ""), 5), 
        AWSSuccessfulEvents = makeset(iff(ActionType == "Success", AwsEventId, ""), 5)  
// Grouping by various attributes
        by 
        SourceIpAddress, 
        UserIdentityUserName,
        bin(TimeGenerated, 1min), 
        UserAgent );
// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents
Azure_Bruforce
| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent
// Filtering based on conditions for failed and successful events
| where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))
customDetails:
  AzureUser: UserPrincipalName
  AwsUser: UserIdentityUserName
  AzureClientAppUsed: ClientAppUsed
  UserAgent: UserAgent
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml
id: 1f40ed57-f54b-462f-906a-ac3a89cc90d4
name: Cross-Cloud Password Spray detection
query: |
  // Materialize a table named "Azure_Bruforce" containing Azure Portal sign-in logs within the last 1 day
  let Azure_Bruforce =  materialize (
      SigninLogs
  // Filter sign-in logs related to the Azure Portal
        | where AppDisplayName == "Azure Portal"
  // Exclude entries with empty OriginalRequestId
      | where isnotempty(OriginalRequestId)
  // Summarize various counts and sets based on brute force criteria
      | summarize 
        AzureSuccessfulEvent = countif(ResultType == 0), 
        AzureFailedEvent = countif(ResultType != 0), 
        totalAzureLoginEventId = dcount(OriginalRequestId), 
        AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), 
        AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),
        AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, ""), 5), 
        AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, ""), 5) 
        by 
        IPAddress, 
        UserPrincipalName, 
        bin(TimeGenerated, 1min), 
        UserAgent,
        ConditionalAccessStatus,
        OperationName,
        RiskDetail,
        AuthenticationRequirement,
        ClientAppUsed
  // Extracting the name and UPN suffix from UserPrincipalName
      | extend
          Name = tostring(split(UserPrincipalName, '@')[0]),
          UPNSuffix = tostring(split(UserPrincipalName, '@')[1]));
  // Materialize a table named "AWS_Bruforce" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day
  let AWS_Bruforce = materialize (
      AWSCloudTrail 
  // Filter CloudTrail events related to ConsoleLogin
      | where EventName == "ConsoleLogin" 
  // Extract ActionType from ResponseElements JSON
      | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin)  
  // Summarize various counts and sets based on  brute force criteria 
      | summarize 
          AWSSuccessful=countif(ActionType == "Success"), 
          AWSFailed = countif(ActionType == "Failure"), 
          totalAwsEventId= dcount(AwsEventId), 
          AWSFailedEventsCount = dcountif(AwsEventId, ActionType == "Failure"), 
          AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == "Success"), 
          AWSFailedevents = makeset(iff(ActionType == "Failure", AwsEventId, ""), 5), 
          AWSSuccessfulEvents = makeset(iff(ActionType == "Success", AwsEventId, ""), 5)  
  // Grouping by various attributes
          by 
          SourceIpAddress, 
          UserIdentityUserName,
          bin(TimeGenerated, 1min), 
          UserAgent );
  // Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents
  Azure_Bruforce
  | join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent
  // Filtering based on conditions for failed and successful events
  | where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))  
entityMappings:
- fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
  entityType: IP
queryPeriod: 1d
triggerThreshold: 0
tactics:
- CredentialAccess
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1110
queryFrequency: 1d
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
- dataTypes:
  - SecurityAlert
  connectorId: MicrosoftThreatProtection
description: |
    'This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1f40ed57-f54b-462f-906a-ac3a89cc90d4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1f40ed57-f54b-462f-906a-ac3a89cc90d4')]",
      "properties": {
        "alertRuleTemplateName": "1f40ed57-f54b-462f-906a-ac3a89cc90d4",
        "customDetails": {
          "AwsUser": "UserIdentityUserName",
          "AzureClientAppUsed": "ClientAppUsed",
          "AzureUser": "UserPrincipalName",
          "UserAgent": "UserAgent"
        },
        "description": "'This detection focuses on identifying potential cross-cloud brute force / Password Spray attempts involving Azure and AWS platforms. It monitors sign-in activities within the Azure Portal and AWS ConsoleLogins where brute force attempts are successful on both platforms in a synchronized manner.'\n",
        "displayName": "Cross-Cloud Password Spray detection",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/BrutforceAttemptOnAzurePortalAndAWSConsolAtSameTime.yaml",
        "query": "// Materialize a table named \"Azure_Bruforce\" containing Azure Portal sign-in logs within the last 1 day\nlet Azure_Bruforce =  materialize (\n    SigninLogs\n// Filter sign-in logs related to the Azure Portal\n      | where AppDisplayName == \"Azure Portal\"\n// Exclude entries with empty OriginalRequestId\n    | where isnotempty(OriginalRequestId)\n// Summarize various counts and sets based on brute force criteria\n    | summarize \n      AzureSuccessfulEvent = countif(ResultType == 0), \n      AzureFailedEvent = countif(ResultType != 0), \n      totalAzureLoginEventId = dcount(OriginalRequestId), \n      AzureFailedEventsCount = dcountif(OriginalRequestId, ResultType != 0), \n      AzureSuccessfuleventsCount = dcountif(OriginalRequestId, ResultType == 0),\n      AzureSetOfFailedevents = makeset(iff(ResultType != 0, OriginalRequestId, \"\"), 5), \n      AzureSetOfSuccessfulEvents = makeset(iff(ResultType == 0, OriginalRequestId, \"\"), 5) \n      by \n      IPAddress, \n      UserPrincipalName, \n      bin(TimeGenerated, 1min), \n      UserAgent,\n      ConditionalAccessStatus,\n      OperationName,\n      RiskDetail,\n      AuthenticationRequirement,\n      ClientAppUsed\n// Extracting the name and UPN suffix from UserPrincipalName\n    | extend\n        Name = tostring(split(UserPrincipalName, '@')[0]),\n        UPNSuffix = tostring(split(UserPrincipalName, '@')[1]));\n// Materialize a table named \"AWS_Bruforce\" containing AWS CloudTrail events related to ConsoleLogins within the last 1 day\nlet AWS_Bruforce = materialize (\n    AWSCloudTrail \n// Filter CloudTrail events related to ConsoleLogin\n    | where EventName == \"ConsoleLogin\" \n// Extract ActionType from ResponseElements JSON\n    | extend ActionType = tostring(parse_json(ResponseElements).ConsoleLogin)  \n// Summarize various counts and sets based on  brute force criteria \n    | summarize \n        AWSSuccessful=countif(ActionType == \"Success\"), \n        AWSFailed = countif(ActionType == \"Failure\"), \n        totalAwsEventId= dcount(AwsEventId), \n        AWSFailedEventsCount = dcountif(AwsEventId, ActionType == \"Failure\"), \n        AWSSuccessfuleventsCount = dcountif(AwsEventId, ActionType == \"Success\"), \n        AWSFailedevents = makeset(iff(ActionType == \"Failure\", AwsEventId, \"\"), 5), \n        AWSSuccessfulEvents = makeset(iff(ActionType == \"Success\", AwsEventId, \"\"), 5)  \n// Grouping by various attributes\n        by \n        SourceIpAddress, \n        UserIdentityUserName,\n        bin(TimeGenerated, 1min), \n        UserAgent );\n// Joining the Azure_Bruforce and AWS_Bruforce tables on matching IP addresses and UserAgents\nAzure_Bruforce\n| join kind=inner AWS_Bruforce on $left.IPAddress == $right.SourceIpAddress and $left.UserAgent == $right.UserAgent\n// Filtering based on conditions for failed and successful events\n| where (AWSFailedEventsCount >= 4 and AzureFailedEventsCount >= 5) and ((AzureSuccessfuleventsCount >= 1 and AzureFailedEvent > AzureSuccessfulEvent) or (AWSSuccessfuleventsCount >= 1 and AWSFailedEventsCount > AWSSuccessfuleventsCount))\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}