Tenable.ad Password Spraying

Back


Id	29d350db-0ac0-4f4c-92ff-dac0f6335612
Rulename	Tenable.ad Password Spraying
Description	Searches for Password spraying attacks.
Severity	High
Tactics	CredentialAccess
Techniques	T1110.003
Required data connectors	Tenable.ad
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
Version	1.0.0
Arm template	29d350db-0ac0-4f4c-92ff-dac0f6335612.json

KQL

// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
// Then, create the Kusto Function with alias afad_parser
afad_parser
  | where MessageType == 2 and Codename == "Password Spraying"

YAML

version: 1.0.0
name: Tenable.ad Password Spraying
severity: High
queryFrequency: 2h
kind: Scheduled
queryPeriod: 2h
description: |
    'Searches for Password spraying attacks.'
query: |
  // For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
  // Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
  // Then, create the Kusto Function with alias afad_parser
  afad_parser
    | where MessageType == 2 and Codename == "Password Spraying"  
tactics:
- CredentialAccess
triggerOperator: gt
entityMappings: 
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
requiredDataConnectors:
- connectorId: Tenable.ad
  dataTypes:
  - Tenable_ad_CL
relevantTechniques:
- T1110.003
id: 29d350db-0ac0-4f4c-92ff-dac0f6335612

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29d350db-0ac0-4f4c-92ff-dac0f6335612')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29d350db-0ac0-4f4c-92ff-dac0f6335612')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Tenable.ad Password Spraying",
        "description": "'Searches for Password spraying attacks.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace\n// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql\n// Then, create the Kusto Function with alias afad_parser\nafad_parser\n  | where MessageType == 2 and Codename == \"Password Spraying\"\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110.003"
        ],
        "alertRuleTemplateName": "29d350db-0ac0-4f4c-92ff-dac0f6335612",
        "customDetails": null,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}