Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Potential Password Spray Attack

Potential Password Spray Attack

Back
Id64d16e62-1a17-4a35-9ea7-2b9fe6f07118
RulenamePotential Password Spray Attack
DescriptionThis query searches for failed attempts to log in from more than 15 various users within a 5 minutes timeframe from the same source. This is a potential indication of a password spray attack.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSalesforceServiceCloudCCPDefinition
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-PasswordSpray.yaml
Version1.0.4
Arm template64d16e62-1a17-4a35-9ea7-2b9fe6f07118.json
Deploy To Azure
let FailureThreshold = 15;  
SalesforceServiceCloud
| where EventType =~ 'Login' and  LoginStatus != 'LOGIN_NO_ERROR'
| where LoginStatus  in~ ('LOGIN_ERROR_INVALID_PASSWORD', 'LOGIN_ERROR_SSO_PWD_INVALID')
| extend TimestampDerived = todatetime(TimestampDerived)
| summarize UserCount=dcount(UserId), Users = make_set(UserId,100) by ClientIp, bin(TimestampDerived, 5m)
| where UserCount > FailureThreshold

name: Potential Password Spray Attack
id: 64d16e62-1a17-4a35-9ea7-2b9fe6f07118
description: |
    'This query searches for failed attempts to log in from more than 15 various users within a 5 minutes timeframe from the same source. This is a potential indication of a password spray attack.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: ClientIp
    identifier: Address
  entityType: IP
version: 1.0.4
triggerOperator: gt
query: |
  let FailureThreshold = 15;  
  SalesforceServiceCloud
  | where EventType =~ 'Login' and  LoginStatus != 'LOGIN_NO_ERROR'
  | where LoginStatus  in~ ('LOGIN_ERROR_INVALID_PASSWORD', 'LOGIN_ERROR_SSO_PWD_INVALID')
  | extend TimestampDerived = todatetime(TimestampDerived)
  | summarize UserCount=dcount(UserId), Users = make_set(UserId,100) by ClientIp, bin(TimestampDerived, 5m)
  | where UserCount > FailureThreshold  
tactics:
- CredentialAccess
kind: Scheduled
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-PasswordSpray.yaml
severity: Medium
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - SalesforceServiceCloud
  connectorId: SalesforceServiceCloudCCPDefinition
status: Available
customDetails:
  Users: Users
relevantTechniques:
- T1110