Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Potential Password Spray Attack (Uses Authentication Normalization)

Back
Id6a2e2ff4-5568-475e-bef2-b95f12b9367b
RulenamePotential Password Spray Attack (Uses Authentication Normalization)
DescriptionThis query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
Version1.1.2
Arm template6a2e2ff4-5568-475e-bef2-b95f12b9367b.json
Deploy To Azure
let FailureThreshold = 15;
imAuthentication
| where EventType== 'Logon' and  EventResult== 'Failure'
// reason: creds 
| where EventResultDetails in ('No such user or password', 'Incorrect password')
| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
  , Users = make_set(TargetUserId,100) 
    by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
| where UserCount > FailureThreshold
| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr
requiredDataConnectors: []
triggerOperator: gt
queryFrequency: 1h
name: Potential Password Spray Attack (Uses Authentication Normalization)
tags:
- version: 1.0.0
  Id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
- SchemaVersion: 0.1.0
  Schema: ASIMAuthentication
queryPeriod: 1h
metadata:
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
  author:
    name: Ofer Shezaf
  source:
    kind: Community
id: 6a2e2ff4-5568-475e-bef2-b95f12b9367b
description: |
  'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack
   To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
severity: Medium
query: |
  let FailureThreshold = 15;
  imAuthentication
  | where EventType== 'Logon' and  EventResult== 'Failure'
  // reason: creds 
  | where EventResultDetails in ('No such user or password', 'Incorrect password')
  | summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
    , Users = make_set(TargetUserId,100) 
      by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
  | where UserCount > FailureThreshold
  | extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr  
version: 1.1.2
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthPasswordSpray.yaml
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
relevantTechniques:
- T1110
tactics:
- CredentialAccess
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6a2e2ff4-5568-475e-bef2-b95f12b9367b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6a2e2ff4-5568-475e-bef2-b95f12b9367b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Potential Password Spray Attack (Uses Authentication Normalization)",
        "description": "'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack\n To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let FailureThreshold = 15;\nimAuthentication\n| where EventType== 'Logon' and  EventResult== 'Failure'\n// reason: creds \n| where EventResultDetails in ('No such user or password', 'Incorrect password')\n| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)\n  , Users = make_set(TargetUserId,100) \n    by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)\n| where UserCount > FailureThreshold\n| extend timestamp = TimeGenerated, IPCustomEntity = SrcDvcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "6a2e2ff4-5568-475e-bef2-b95f12b9367b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "tags": [
          {
            "Id": "e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMAuthentication",
            "SchemaVersion": "0.1.0"
          }
        ],
        "templateVersion": "1.1.2",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthPasswordSpray.yaml"
      }
    }
  ]
}