Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Brute force attack against user credentials

Back
Id5a6ce089-e756-40fb-b022-c8e8864a973a
RulenameBrute force attack against user credentials
DescriptionIdentifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.

The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSalesforceServiceCloud
KindScheduled
Query frequency20m
Query period20m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
Version1.0.2
Arm template5a6ce089-e756-40fb-b022-c8e8864a973a.json
Deploy To Azure
let failureCountThreshold = 10;
let successCountThreshold = 1;
let Failures =
SalesforceServiceCloud
| where EventType == "Login" and LoginStatus != "LOGIN_NO_ERROR"
| summarize
      FailureStartTime = min(TimeGenerated),
      FailureEndTime = max(TimeGenerated),
      IpAddresses = make_set (ClientIp, 100),
      FailureCount = count() by User, UserId, UserType;
  SalesforceServiceCloud
  | where EventType == "Login" and LoginStatus == "LOGIN_NO_ERROR"
  | summarize
          SuccessStartTime = min(TimeGenerated),
          SuccessEndTime = max(TimeGenerated),
          IpAddresses = make_set (ClientIp, 100),
          SuccessCount = count() by User, UserId, UserType
  | join kind=leftouter Failures on UserId
  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
  | where FailureEndTime < SuccessStartTime
  | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses
id: 5a6ce089-e756-40fb-b022-c8e8864a973a
name: Brute force attack against user credentials
triggerOperator: gt
status: Available
query: |
  let failureCountThreshold = 10;
  let successCountThreshold = 1;
  let Failures =
  SalesforceServiceCloud
  | where EventType == "Login" and LoginStatus != "LOGIN_NO_ERROR"
  | summarize
        FailureStartTime = min(TimeGenerated),
        FailureEndTime = max(TimeGenerated),
        IpAddresses = make_set (ClientIp, 100),
        FailureCount = count() by User, UserId, UserType;
    SalesforceServiceCloud
    | where EventType == "Login" and LoginStatus == "LOGIN_NO_ERROR"
    | summarize
            SuccessStartTime = min(TimeGenerated),
            SuccessEndTime = max(TimeGenerated),
            IpAddresses = make_set (ClientIp, 100),
            SuccessCount = count() by User, UserId, UserType
    | join kind=leftouter Failures on UserId
    | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
    | where FailureEndTime < SuccessStartTime
    | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses  
queryPeriod: 20m
requiredDataConnectors:
- connectorId: SalesforceServiceCloud
  dataTypes:
  - SalesforceServiceCloud
severity: Medium
queryFrequency: 20m
customDetails:
  EventStartTime: FailureStartTime
  IPAddresses: IpAddresses
  EventEndTime: SuccessEndTime
relevantTechniques:
- T1110
version: 1.0.2
kind: Scheduled
tactics:
- CredentialAccess
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: User
  entityType: Account
description: |
  'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.
  The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/5a6ce089-e756-40fb-b022-c8e8864a973a')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/5a6ce089-e756-40fb-b022-c8e8864a973a')]",
      "properties": {
        "alertRuleTemplateName": "5a6ce089-e756-40fb-b022-c8e8864a973a",
        "customDetails": {
          "EventEndTime": "SuccessEndTime",
          "EventStartTime": "FailureStartTime",
          "IPAddresses": "IpAddresses"
        },
        "description": "'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. This query limits IPAddresses to 100 and may not potentially cover all IPAddresses.\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.'\n",
        "displayName": "Brute force attack against user credentials",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-BruteForce.yaml",
        "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\nlet Failures =\nSalesforceServiceCloud\n| where EventType == \"Login\" and LoginStatus != \"LOGIN_NO_ERROR\"\n| summarize\n      FailureStartTime = min(TimeGenerated),\n      FailureEndTime = max(TimeGenerated),\n      IpAddresses = make_set (ClientIp, 100),\n      FailureCount = count() by User, UserId, UserType;\n  SalesforceServiceCloud\n  | where EventType == \"Login\" and LoginStatus == \"LOGIN_NO_ERROR\"\n  | summarize\n          SuccessStartTime = min(TimeGenerated),\n          SuccessEndTime = max(TimeGenerated),\n          IpAddresses = make_set (ClientIp, 100),\n          SuccessCount = count() by User, UserId, UserType\n  | join kind=leftouter Failures on UserId\n  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n  | where FailureEndTime < SuccessStartTime\n  | project User, EventStartTime = FailureStartTime, EventEndTime = SuccessEndTime, IpAddresses\n",
        "queryFrequency": "PT20M",
        "queryPeriod": "PT20M",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}