Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Failed AWS Console logons but success logon to AzureAD

Failed AWS Console logons but success logon to AzureAD

Back
Id910124df-913c-47e3-a7cd-29e1643fa55e
RulenameFailed AWS Console logons but success logon to AzureAD
DescriptionIdentifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.

Uses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.
SeverityMedium
TacticsInitialAccess
CredentialAccess
TechniquesT1078
T1110
Required data connectorsAWS
AzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml
Version1.2.1
Arm template910124df-913c-47e3-a7cd-29e1643fa55e.json
Deploy To Azure
//Adjust this threshold to fit environment
let  signin_threshold = 5;
//Make a list of IPs with failed AWS console logins
let aws_fails = AWSCloudTrail
| where EventName == "ConsoleLogin"
| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)
| where LoginResult != "Success"
| where SourceIpAddress != "127.0.0.1"
| summarize count() by SourceIpAddress
| where count_ >  signin_threshold
| summarize make_set(SourceIpAddress);
//See if any of those IPs have sucessfully logged into Azure AD.
SigninLogs
| where ResultType in ("0", "50125", "50140")
| where IPAddress in (aws_fails)
| extend Reason = "Multiple failed AWS Console logins from IP address"
| extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])

metadata:
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Microsoft Security Research
  source:
    kind: Community
  support:
    tier: Community
id: 910124df-913c-47e3-a7cd-29e1643fa55e
query: |
  //Adjust this threshold to fit environment
  let  signin_threshold = 5;
  //Make a list of IPs with failed AWS console logins
  let aws_fails = AWSCloudTrail
  | where EventName == "ConsoleLogin"
  | extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)
  | where LoginResult != "Success"
  | where SourceIpAddress != "127.0.0.1"
  | summarize count() by SourceIpAddress
  | where count_ >  signin_threshold
  | summarize make_set(SourceIpAddress);
  //See if any of those IPs have sucessfully logged into Azure AD.
  SigninLogs
  | where ResultType in ("0", "50125", "50140")
  | where IPAddress in (aws_fails)
  | extend Reason = "Multiple failed AWS Console logins from IP address"
  | extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml
description: |
  'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.
  Uses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.'  
name: Failed AWS Console logons but success logon to AzureAD
relevantTechniques:
- T1078
- T1110
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: Account
  fieldMappings:
  - identifier: AadUserId
    columnName: UserId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
triggerThreshold: 0
severity: Medium
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
queryFrequency: 1d
queryPeriod: 1d
version: 1.2.1
kind: Scheduled
tactics:
- InitialAccess
- CredentialAccess
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/910124df-913c-47e3-a7cd-29e1643fa55e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/910124df-913c-47e3-a7cd-29e1643fa55e')]",
      "properties": {
        "alertRuleTemplateName": "910124df-913c-47e3-a7cd-29e1643fa55e",
        "customDetails": null,
        "description": "'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.\nUses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.'\n",
        "displayName": "Failed AWS Console logons but success logon to AzureAD",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserId",
                "identifier": "AadUserId"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/AWSConsoleAADCorrelation.yaml",
        "query": "//Adjust this threshold to fit environment\nlet  signin_threshold = 5;\n//Make a list of IPs with failed AWS console logins\nlet aws_fails = AWSCloudTrail\n| where EventName == \"ConsoleLogin\"\n| extend LoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)\n| where LoginResult != \"Success\"\n| where SourceIpAddress != \"127.0.0.1\"\n| summarize count() by SourceIpAddress\n| where count_ >  signin_threshold\n| summarize make_set(SourceIpAddress);\n//See if any of those IPs have sucessfully logged into Azure AD.\nSigninLogs\n| where ResultType in (\"0\", \"50125\", \"50140\")\n| where IPAddress in (aws_fails)\n| extend Reason = \"Multiple failed AWS Console logins from IP address\"\n| extend timestamp = TimeGenerated, AccountName = tostring(split(UserPrincipalName, \"@\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1110"
        ],
        "templateVersion": "1.2.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}