Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Password spray attack against ADFSSignInLogs

Back
Id5533fe80-905e-49d5-889a-df27d2c3976d
RulenamePassword spray attack against ADFSSignInLogs
DescriptionIdentifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.

Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency30m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml
Version1.0.1
Arm template5533fe80-905e-49d5-889a-df27d2c3976d.json
Deploy To Azure
let queryfrequency = 30m;
let accountthreshold = 10;
let successCodes = dynamic([0, 50144]);
ADFSSignInLogs
| extend IngestionTime = ingestion_time()
| where IngestionTime > ago(queryfrequency)
| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == "Integrated Windows Authentication")
| summarize
    DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),
    DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),
    SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),
    arg_min(TimeGenerated, *)
    by IPAddress
| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold
//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic(["null"]))
//| mv-expand SuccessAccounts
| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity
status: Available
id: 5533fe80-905e-49d5-889a-df27d2c3976d
name: Password spray attack against ADFSSignInLogs
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - ADFSSignInLogs
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml
kind: Scheduled
description: |
  'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.
  Reference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference'  
relevantTechniques:
- T1110
queryPeriod: 1h
triggerOperator: gt
queryFrequency: 30m
query: |
  let queryfrequency = 30m;
  let accountthreshold = 10;
  let successCodes = dynamic([0, 50144]);
  ADFSSignInLogs
  | extend IngestionTime = ingestion_time()
  | where IngestionTime > ago(queryfrequency)
  | where not(todynamic(AuthenticationDetails)[0].authenticationMethod == "Integrated Windows Authentication")
  | summarize
      DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),
      DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),
      SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),
      arg_min(TimeGenerated, *)
      by IPAddress
  | where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold
  //| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic(["null"]))
  //| mv-expand SuccessAccounts
  | project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity  
version: 1.0.1
tactics:
- CredentialAccess
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPAddress
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5533fe80-905e-49d5-889a-df27d2c3976d')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5533fe80-905e-49d5-889a-df27d2c3976d')]",
      "properties": {
        "alertRuleTemplateName": "5533fe80-905e-49d5-889a-df27d2c3976d",
        "customDetails": null,
        "description": "'Identifies evidence of password spray activity against Connect Health for AD FS sign-in events by looking for failures from multiple accounts from the same IP address within a time window.\nReference: https://adfshelp.microsoft.com/References/ConnectHealthErrorCodeReference'\n",
        "displayName": "Password spray attack against ADFSSignInLogs",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/ADFSSignInLogsPasswordSpray.yaml",
        "query": "let queryfrequency = 30m;\nlet accountthreshold = 10;\nlet successCodes = dynamic([0, 50144]);\nADFSSignInLogs\n| extend IngestionTime = ingestion_time()\n| where IngestionTime > ago(queryfrequency)\n| where not(todynamic(AuthenticationDetails)[0].authenticationMethod == \"Integrated Windows Authentication\")\n| summarize\n    DistinctFailureCount = dcountif(UserPrincipalName, ResultType !in (successCodes)),\n    DistinctSuccessCount = dcountif(UserPrincipalName, ResultType in (successCodes)),\n    SuccessAccounts = make_set_if(UserPrincipalName, ResultType in (successCodes), 250),\n    arg_min(TimeGenerated, *)\n    by IPAddress\n| where DistinctFailureCount > DistinctSuccessCount and DistinctFailureCount >= accountthreshold\n//| extend SuccessAccounts = iff(array_length(SuccessAccounts) != 0, SuccessAccounts, dynamic([\"null\"]))\n//| mv-expand SuccessAccounts\n| project TimeGenerated, Category, OperationName, IPAddress, DistinctFailureCount, DistinctSuccessCount, SuccessAccounts, AuthenticationRequirement, ConditionalAccessStatus, IsInteractive, UserAgent, NetworkLocationDetails, DeviceDetail, TokenIssuerType, TokenIssuerName, ResourceIdentity\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}