Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Brute Force Attack against GitHub Account

Back
Id97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06
RulenameBrute Force Attack against GitHub Account
DescriptionAttackers who are trying to guess your users’ passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml
Version1.0.0
Arm template97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06.json
Deploy To Azure
let LearningPeriod = 7d; 
let BinTime = 1h; 
let RunTime = 1h; 
let StartTime = 1h; 
let NumberOfStds = 3; 
let MinThreshold = 10.0; 
let EndRunTime = StartTime - RunTime; 
let EndLearningTime = StartTime + LearningPeriod;
let aadFunc = (tableName:string){
let GitHubFailedSSOLogins = (table(tableName)  
| where AppDisplayName == "GitHub.com" 
| where ResultType != 0); 
GitHubFailedSSOLogins 
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) 
| summarize FailedLoginsCountInBinTime = count() by  UserPrincipalName, bin(TimeGenerated, BinTime), Type
| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type
| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold)  
| join kind=innerunique ( 
  GitHubFailedSSOLogins 
  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) 
  | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type
) on UserPrincipalName 
| where FailedLoginsCountInRunTime > LearningThreshold
| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
name: Brute Force Attack against GitHub Account
query: |
  let LearningPeriod = 7d; 
  let BinTime = 1h; 
  let RunTime = 1h; 
  let StartTime = 1h; 
  let NumberOfStds = 3; 
  let MinThreshold = 10.0; 
  let EndRunTime = StartTime - RunTime; 
  let EndLearningTime = StartTime + LearningPeriod;
  let aadFunc = (tableName:string){
  let GitHubFailedSSOLogins = (table(tableName)  
  | where AppDisplayName == "GitHub.com" 
  | where ResultType != 0); 
  GitHubFailedSSOLogins 
  | where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) 
  | summarize FailedLoginsCountInBinTime = count() by  UserPrincipalName, bin(TimeGenerated, BinTime), Type
  | summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type
  | extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold)  
  | join kind=innerunique ( 
    GitHubFailedSSOLogins 
    | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) 
    | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type
  ) on UserPrincipalName 
  | where FailedLoginsCountInRunTime > LearningThreshold
  | extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated
  };
  let aadSignin = aadFunc("SigninLogs");
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - AADNonInteractiveUserSignInLogs
  connectorId: AzureActiveDirectory
version: 1.0.0
status: Available
queryPeriod: 1d
id: 97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1110
severity: Medium
description: |
    'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.'
kind: Scheduled
tactics:
- CredentialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Brute Force Attack against GitHub Account",
        "description": "'Attackers who are trying to guess your users' passwords or use brute-force methods to get in. If your organization is using SSO with Azure Active Directory, authentication logs to GitHub.com will be generated. Using the following query can help you identify a sudden increase in failed logon attempt of users.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let LearningPeriod = 7d; \nlet BinTime = 1h; \nlet RunTime = 1h; \nlet StartTime = 1h; \nlet NumberOfStds = 3; \nlet MinThreshold = 10.0; \nlet EndRunTime = StartTime - RunTime; \nlet EndLearningTime = StartTime + LearningPeriod;\nlet aadFunc = (tableName:string){\nlet GitHubFailedSSOLogins = (table(tableName)  \n| where AppDisplayName == \"GitHub.com\" \n| where ResultType != 0); \nGitHubFailedSSOLogins \n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime)) \n| summarize FailedLoginsCountInBinTime = count() by  UserPrincipalName, bin(TimeGenerated, BinTime), Type\n| summarize AvgOfFailedLoginsInLearning = avg(FailedLoginsCountInBinTime), StdOfFailedLoginsInLearning = stdev(FailedLoginsCountInBinTime) by UserPrincipalName, Type\n| extend LearningThreshold = max_of(AvgOfFailedLoginsInLearning + StdOfFailedLoginsInLearning * NumberOfStds, MinThreshold)  \n| join kind=innerunique ( \n  GitHubFailedSSOLogins \n  | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime)) \n  | summarize FailedLoginsCountInRunTime = count() by User = Identity, UserPrincipalName, bin(TimeGenerated, BinTime), Type\n) on UserPrincipalName \n| where FailedLoginsCountInRunTime > LearningThreshold\n| extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/Brute Force Attack against GitHub Account.yaml"
      }
    }
  ]
}