Brute force attack against a Cloud PC
| Id | 3fbc20a4-04c4-464e-8fcb-6667f53e4987 |
| Rulename | Brute force attack against a Cloud PC |
| Description | Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window. |
| Severity | Medium |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml |
| Version | 2.0.1 |
| Arm template | 3fbc20a4-04c4-464e-8fcb-6667f53e4987.json |
let authenticationWindow = 20m;
let sensitivity = 2.5;
SigninLogs
| where AppDisplayName =~ "Windows Sign In"
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
| summarize FailureCount = countif(FailureOrSuccess=="Failure"), SuccessCount = countif(FailureOrSuccess=="Success"), IPAddresses = make_set(IPAddress,1000)
by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName
| extend FailureSuccessDiff = FailureCount - SuccessCount
| where FailureSuccessDiff > 0
| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)
| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit')
| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)
| where Anomalies > 0
| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff
| join kind=leftouter (
SigninLogs
| where AppDisplayName =~ "Windows Sign In"
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| summarize StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
IPAddresses = make_set(IPAddress,100),
OS = make_set(OS,20),
Browser = make_set(Browser,20),
City = make_set(City,100),
ResultType = make_set(ResultType,100)
by UserDisplayName, UserPrincipalName, UserId, AppDisplayName
) on UserDisplayName, UserPrincipalName
| project-away UserDisplayName1, UserPrincipalName1
| extend IPAddressFirst = tostring(IPAddresses[0])
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
description: |
'Identifies evidence of brute force activity against a Windows 365 Cloud PC by highlighting multiple authentication failures and by a successful authentication within a given time window.'
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/BruteForceCloudPC.yaml
severity: Medium
name: Brute force attack against a Cloud PC
triggerThreshold: 0
queryPeriod: 1d
query: |
let authenticationWindow = 20m;
let sensitivity = 2.5;
SigninLogs
| where AppDisplayName =~ "Windows Sign In"
| extend FailureOrSuccess = iff(ResultType in ("0", "50125", "50140", "70043", "70044"), "Success", "Failure")
| summarize FailureCount = countif(FailureOrSuccess=="Failure"), SuccessCount = countif(FailureOrSuccess=="Success"), IPAddresses = make_set(IPAddress,1000)
by bin(TimeGenerated, authenticationWindow), UserDisplayName, UserPrincipalName
| extend FailureSuccessDiff = FailureCount - SuccessCount
| where FailureSuccessDiff > 0
| summarize Diff = make_list(FailureSuccessDiff, 10000), TimeStamp = make_list(TimeGenerated, 10000) by UserDisplayName, UserPrincipalName//, tostring(IPAddresses)
| extend (Anomalies, Score, Baseline) = series_decompose_anomalies(Diff, sensitivity, -1, 'linefit')
| mv-expand Diff to typeof(double), TimeStamp to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)
| where Anomalies > 0
| summarize by UserDisplayName, UserPrincipalName, Anomalies, Score, Baseline, FailureToSuccessDiff = Diff
| join kind=leftouter (
SigninLogs
| where AppDisplayName =~ "Windows Sign In"
| extend OS = DeviceDetail.operatingSystem, Browser = DeviceDetail.browser
| extend StatusCode = tostring(Status.errorCode), StatusDetails = tostring(Status.additionalDetails)
| extend State = tostring(LocationDetails.state), City = tostring(LocationDetails.city)
| summarize StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
IPAddresses = make_set(IPAddress,100),
OS = make_set(OS,20),
Browser = make_set(Browser,20),
City = make_set(City,100),
ResultType = make_set(ResultType,100)
by UserDisplayName, UserPrincipalName, UserId, AppDisplayName
) on UserDisplayName, UserPrincipalName
| project-away UserDisplayName1, UserPrincipalName1
| extend IPAddressFirst = tostring(IPAddresses[0])
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
relevantTechniques:
- T1110
id: 3fbc20a4-04c4-464e-8fcb-6667f53e4987
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 2.0.1
entityMappings:
- entityType: Account
fieldMappings:
- columnName: UserPrincipalName
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
- entityType: Account
fieldMappings:
- columnName: UserId
identifier: AadUserId
- entityType: IP
fieldMappings:
- columnName: IPAddressFirst
identifier: Address