Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Password spray attack against ADFSSignInLogs

Password spray attack against ADFSSignInLogs

Back
Id5533fe80-905e-49d5-889a-df27d2c3976d
RulenamePassword spray attack against ADFSSignInLogs
DescriptionIdentifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ADFSSignInLogsPasswordSpray.md
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml
Version1.0.2
Arm template5533fe80-905e-49d5-889a-df27d2c3976d.json
Deploy To Azure
let queryfrequency = 30m;
let accountthreshold = 10;
let successCodes = dynamic([0, 50144]);
ADFSSignInLogs
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(queryfrequency)
| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == "Integrated Windows Authentication")
| summarize
    DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),
    DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),
    SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),
    arg_min(TimeGenerated, *)
    by IPAddress
| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold
//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic(["null"]))
//| mv-expand SuccessAccounts
| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity

kind: Scheduled
tactics:
- CredentialAccess
status: Available
triggerOperator: gt
version: 1.0.2
name: Password spray attack against ADFSSignInLogs
queryFrequency: 30m
id: 5533fe80-905e-49d5-889a-df27d2c3976d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - ADFSSignInLogs
relevantTechniques:
- T1110
description: |
    'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ADFSSignInLogsPasswordSpray.md'
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml
triggerThreshold: 0
queryPeriod: 1h
severity: Medium
query: |
  let queryfrequency = 30m;
  let accountthreshold = 10;
  let successCodes = dynamic([0, 50144]);
  ADFSSignInLogs
  | extend IngestionTime = ingestion_time()
  | where IngestionTime > ago(queryfrequency)
  | where not(todynamic(AuthenticationDetails)[0].authenticationMethod == "Integrated Windows Authentication")
  | summarize
      DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),
      DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),
      SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),
      arg_min(TimeGenerated, *)
      by IPAddress
  | where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold
  //| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic(["null"]))
  //| mv-expand SuccessAccounts
  | project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity