Tenable.ad Password Spraying

Back


Id	29d350db-0ac0-4f4c-92ff-dac0f6335612
Rulename	Tenable.ad Password Spraying
Description	Searches for Password spraying attacks.
Severity	High
Tactics	CredentialAccess
Techniques	T1110.003
Required data connectors	Tenable.ad
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
Version	1.0.0
Arm template	29d350db-0ac0-4f4c-92ff-dac0f6335612.json

KQL

// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
// Then, create the Kusto Function with alias afad_parser
afad_parser
  | where MessageType == 2 and Codename == "Password Spraying"

YAML

name: Tenable.ad Password Spraying
query: |
  // For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace
  // Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql
  // Then, create the Kusto Function with alias afad_parser
  afad_parser
    | where MessageType == 2 and Codename == "Password Spraying"  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml
queryFrequency: 2h
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - Tenable_ad_CL
  connectorId: Tenable.ad
version: 1.0.0
queryPeriod: 2h
id: 29d350db-0ac0-4f4c-92ff-dac0f6335612
triggerOperator: gt
entityMappings: 
relevantTechniques:
- T1110.003
severity: High
description: |
    'Searches for Password spraying attacks.'
kind: Scheduled
tactics:
- CredentialAccess

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29d350db-0ac0-4f4c-92ff-dac0f6335612')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29d350db-0ac0-4f4c-92ff-dac0f6335612')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Tenable.ad Password Spraying",
        "description": "'Searches for Password spraying attacks.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// For the query to work properly, make sure you have imported the afad_parser.kql parser into the workspace\n// Retrieve the parser here: https://raw.githubusercontent.com/tenable/Azure-Sentinel/Tenable.ad-connector/Solutions/TenableAD/Parsers/afad_parser.kql\n// Then, create the Kusto Function with alias afad_parser\nafad_parser\n  | where MessageType == 2 and Codename == \"Password Spraying\"\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110.003"
        ],
        "alertRuleTemplateName": "29d350db-0ac0-4f4c-92ff-dac0f6335612",
        "customDetails": null,
        "entityMappings": null,
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/TenableAD/Analytic Rules/TenableAdPasswordSpraying.yaml"
      }
    }
  ]
}