Brute force attack against user credentials
| Id | 5a6ce089-e756-40fb-b022-c8e8864a973a |
| Rulename | Brute force attack against user credentials |
| Description | Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses. The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes. |
| Severity | Medium |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Required data connectors | SalesforceServiceCloud |
| Kind | Scheduled |
| Query frequency | 20m |
| Query period | 20m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml |
| Version | 1.0.2 |
| Arm template | 5a6ce089-e756-40fb-b022-c8e8864a973a.json |
let failureCountThreshold = 10;
let successCountThreshold = 1;
let Failures =
SalesforceServiceCloud
| where EventType == "Login" and LoginStatus != "LOGIN_NO_ERROR"
| summarize
FailureStartTime = min(TimeGenerated),
FailureEndTime = max(TimeGenerated),
IpAddresses = make_set (ClientIp, 100),
FailureCount = count() by User, UserId, UserType;
SalesforceServiceCloud
| where EventType == "Login" and LoginStatus == "LOGIN_NO_ERROR"
| summarize
SuccessStartTime = min(TimeGenerated),
SuccessEndTime = max(TimeGenerated),
IpAddresses = make_set (ClientIp, 100),
SuccessCount = count() by User, UserId, UserType
| join kind=leftouter Failures on UserId
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| where FailureEndTime < SuccessStartTime
| project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses
id: 5a6ce089-e756-40fb-b022-c8e8864a973a
tactics:
- CredentialAccess
queryPeriod: 20m
triggerThreshold: 0
name: Brute force attack against user credentials
query: |
let failureCountThreshold = 10;
let successCountThreshold = 1;
let Failures =
SalesforceServiceCloud
| where EventType == "Login" and LoginStatus != "LOGIN_NO_ERROR"
| summarize
FailureStartTime = min(TimeGenerated),
FailureEndTime = max(TimeGenerated),
IpAddresses = make_set (ClientIp, 100),
FailureCount = count() by User, UserId, UserType;
SalesforceServiceCloud
| where EventType == "Login" and LoginStatus == "LOGIN_NO_ERROR"
| summarize
SuccessStartTime = min(TimeGenerated),
SuccessEndTime = max(TimeGenerated),
IpAddresses = make_set (ClientIp, 100),
SuccessCount = count() by User, UserId, UserType
| join kind=leftouter Failures on UserId
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| where FailureEndTime < SuccessStartTime
| project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses
severity: Medium
customDetails:
EventEndTime: SuccessEndTime
EventStartTime: FailureStartTime
IPAddresses: IpAddresses
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1110
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
queryFrequency: 20m
requiredDataConnectors:
- connectorId: SalesforceServiceCloud
dataTypes:
- SalesforceServiceCloud
description: |
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.
The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.'
status: Available
version: 1.0.2
entityMappings:
- fieldMappings:
- columnName: User
identifier: FullName
entityType: Account
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a6ce089-e756-40fb-b022-c8e8864a973a')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a6ce089-e756-40fb-b022-c8e8864a973a')]",
"properties": {
"alertRuleTemplateName": "5a6ce089-e756-40fb-b022-c8e8864a973a",
"customDetails": {
"EventEndTime": "SuccessEndTime",
"EventStartTime": "FailureStartTime",
"IPAddresses": "IpAddresses"
},
"description": "'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.'\n",
"displayName": "Brute force attack against user credentials",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "User",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml",
"query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet Failures =\nSalesforceServiceCloud\n| where EventType == \"Login\" and LoginStatus != \"LOGIN_NO_ERROR\"\n| summarize\n FailureStartTime = min(TimeGenerated),\n FailureEndTime = max(TimeGenerated),\n IpAddresses = make_set (ClientIp, 100),\n FailureCount = count() by User, UserId, UserType;\n SalesforceServiceCloud\n | where EventType == \"Login\" and LoginStatus == \"LOGIN_NO_ERROR\"\n | summarize\n SuccessStartTime = min(TimeGenerated),\n SuccessEndTime = max(TimeGenerated),\n IpAddresses = make_set (ClientIp, 100),\n SuccessCount = count() by User, UserId, UserType\n | join kind=leftouter Failures on UserId\n | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n | where FailureEndTime < SuccessStartTime\n | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses\n",
"queryFrequency": "PT20M",
"queryPeriod": "PT20M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1110"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}