Potential Password Spray Attack Uses Authentication Normalization

Back


Id	6a2e2ff4-5568-475e-bef2-b95f12b9367b
Rulename	Potential Password Spray Attack (Uses Authentication Normalization)
Description	This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
Version	1.1.3
Arm template	6a2e2ff4-5568-475e-bef2-b95f12b9367b.json

KQL

let FailureThreshold = 15;
imAuthentication
| where EventType== 'Logon' and  EventResult== 'Failure'
// reason: creds 
| where EventResultDetails in ('No such user or password', 'Incorrect password')
| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
  , Users = make_set(TargetUserId,100) 
    by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
| where UserCount > FailureThreshold

YAML

id: 6a2e2ff4-5568-475e-bef2-b95f12b9367b
tactics:
- CredentialAccess
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
metadata:
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
  support:
    tier: Community
  author:
    name: Ofer Shezaf
triggerThreshold: 0
name: Potential Password Spray Attack (Uses Authentication Normalization)
query: |
  let FailureThreshold = 15;
  imAuthentication
  | where EventType== 'Logon' and  EventResult== 'Failure'
  // reason: creds 
  | where EventResultDetails in ('No such user or password', 'Incorrect password')
  | summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
    , Users = make_set(TargetUserId,100) 
      by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
  | where UserCount > FailureThreshold  
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1110
tags:
- Id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
  version: 1.0.0
- SchemaVersion: 0.1.0
  Schema: ASIMAuthentication
queryFrequency: 1h
requiredDataConnectors: []
description: |
  'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack
   To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
version: 1.1.3
entityMappings:
- fieldMappings:
  - columnName: SrcDvcIpAddr
    identifier: Address
  entityType: IP

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a2e2ff4-5568-475e-bef2-b95f12b9367b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a2e2ff4-5568-475e-bef2-b95f12b9367b')]",
      "properties": {
        "alertRuleTemplateName": "6a2e2ff4-5568-475e-bef2-b95f12b9367b",
        "customDetails": null,
        "description": "'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
        "displayName": "Potential Password Spray Attack (Uses Authentication Normalization)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcDvcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthPasswordSpray.yaml",
        "query": "let FailureThreshold = 15;\nimAuthentication\n| where EventType== 'Logon' and  EventResult== 'Failure'\n// reason: creds \n| where EventResultDetails in ('No such user or password', 'Incorrect password')\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\n  , Users = make_set(TargetUserId,100) \n    by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\n| where UserCount > FailureThreshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "tags": [
          {
            "Id": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMAuthentication",
            "SchemaVersion": "0.1.0"
          }
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.1.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}