Brute force attack against user credentials

Back


Id	5a6ce089-e756-40fb-b022-c8e8864a973a
Rulename	Brute force attack against user credentials
Description	Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses. The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SalesforceServiceCloud
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
Version	1.0.3
Arm template	5a6ce089-e756-40fb-b022-c8e8864a973a.json

KQL

let failureCountThreshold = 10;
let successCountThreshold = 1;
let Failures =
SalesforceServiceCloud
| where EventType == "Login" and LoginStatus != "LOGIN_NO_ERROR"
| summarize
      FailureStartTime = min(TimeGenerated),
      FailureEndTime = max(TimeGenerated),
      IpAddresses = make_set (ClientIp, 100),
      FailureCount = count() by User, UserId, UserType;
  SalesforceServiceCloud
  | where EventType == "Login" and LoginStatus == "LOGIN_NO_ERROR"
  | summarize
          SuccessStartTime = min(TimeGenerated),
          SuccessEndTime = max(TimeGenerated),
          IpAddresses = make_set (ClientIp, 100),
          SuccessCount = count() by User, UserId, UserType
  | join kind=leftouter Failures on UserId
  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
  | where FailureEndTime < SuccessStartTime
  | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
query: |
  let failureCountThreshold = 10;
  let successCountThreshold = 1;
  let Failures =
  SalesforceServiceCloud
  | where EventType == "Login" and LoginStatus != "LOGIN_NO_ERROR"
  | summarize
        FailureStartTime = min(TimeGenerated),
        FailureEndTime = max(TimeGenerated),
        IpAddresses = make_set (ClientIp, 100),
        FailureCount = count() by User, UserId, UserType;
    SalesforceServiceCloud
    | where EventType == "Login" and LoginStatus == "LOGIN_NO_ERROR"
    | summarize
            SuccessStartTime = min(TimeGenerated),
            SuccessEndTime = max(TimeGenerated),
            IpAddresses = make_set (ClientIp, 100),
            SuccessCount = count() by User, UserId, UserType
    | join kind=leftouter Failures on UserId
    | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
    | where FailureEndTime < SuccessStartTime
    | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses  
description: |
  'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.
  The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.'  
severity: Medium
requiredDataConnectors:
- dataTypes:
  - SalesforceServiceCloud
  connectorId: SalesforceServiceCloud
name: Brute force attack against user credentials
triggerThreshold: 0
customDetails:
  EventStartTime: FailureStartTime
  IPAddresses: IpAddresses
  EventEndTime: SuccessEndTime
tactics:
- CredentialAccess
version: 1.0.3
relevantTechniques:
- T1110
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName
id: 5a6ce089-e756-40fb-b022-c8e8864a973a
status: Available
kind: Scheduled
queryFrequency: 1h
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a6ce089-e756-40fb-b022-c8e8864a973a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a6ce089-e756-40fb-b022-c8e8864a973a')]",
      "properties": {
        "alertRuleTemplateName": "5a6ce089-e756-40fb-b022-c8e8864a973a",
        "customDetails": {
          "EventEndTime": "SuccessEndTime",
          "EventStartTime": "FailureStartTime",
          "IPAddresses": "IpAddresses"
        },
        "description": "'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.'\n",
        "displayName": "Brute force attack against user credentials",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml",
        "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet Failures =\nSalesforceServiceCloud\n| where EventType == \"Login\" and LoginStatus != \"LOGIN_NO_ERROR\"\n| summarize\n      FailureStartTime = min(TimeGenerated),\n      FailureEndTime = max(TimeGenerated),\n      IpAddresses = make_set (ClientIp, 100),\n      FailureCount = count() by User, UserId, UserType;\n  SalesforceServiceCloud\n  | where EventType == \"Login\" and LoginStatus == \"LOGIN_NO_ERROR\"\n  | summarize\n          SuccessStartTime = min(TimeGenerated),\n          SuccessEndTime = max(TimeGenerated),\n          IpAddresses = make_set (ClientIp, 100),\n          SuccessCount = count() by User, UserId, UserType\n  | join kind=leftouter Failures on UserId\n  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n  | where FailureEndTime < SuccessStartTime\n  | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}