Password spray attack against ADFSSignInLogs
| Id | 5533fe80-905e-49d5-889a-df27d2c3976d |
| Rulename | Password spray attack against ADFSSignInLogs |
| Description | Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window. Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference |
| Severity | Medium |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml |
| Version | 1.0.1 |
| Arm template | 5533fe80-905e-49d5-889a-df27d2c3976d.json |
let queryfrequency = 30m;
let accountthreshold = 10;
let successCodes = dynamic([0, 50144]);
ADFSSignInLogs
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(queryfrequency)
| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == "Integrated Windows Authentication")
| summarize
DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),
DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),
SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),
arg_min(TimeGenerated, *)
by IPAddress
| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold
//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic(["null"]))
//| mv-expand SuccessAccounts
| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity
relevantTechniques:
- T1110
entityMappings:
- fieldMappings:
- columnName: IPAddress
identifier: Address
entityType: IP
triggerThreshold: 0
description: |
'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.
Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- ADFSSignInLogs
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml
id: 5533fe80-905e-49d5-889a-df27d2c3976d
queryFrequency: 30m
query: |
let queryfrequency = 30m;
let accountthreshold = 10;
let successCodes = dynamic([0, 50144]);
ADFSSignInLogs
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(queryfrequency)
| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == "Integrated Windows Authentication")
| summarize
DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),
DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),
SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),
arg_min(TimeGenerated, *)
by IPAddress
| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold
//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic(["null"]))
//| mv-expand SuccessAccounts
| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity
severity: Medium
status: Available
queryPeriod: 1h
name: Password spray attack against ADFSSignInLogs
tactics:
- CredentialAccess
kind: Scheduled