Alsid Password Spraying

Back


Id	9e20eb4e-cc0d-4349-a99d-cad756859dfb
Rulename	Alsid Password Spraying
Description	Searches for Password spraying attacks
Severity	High
Tactics	CredentialAccess
Techniques	T1110.003
Required data connectors	AlsidForAD
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml
Version	1.0.0
Arm template	9e20eb4e-cc0d-4349-a99d-cad756859dfb.json

KQL

afad_parser
| where MessageType == 2 and Codename == "Password Spraying"

YAML

triggerOperator: gt
version: 1.0.0
query: |
  afad_parser
  | where MessageType == 2 and Codename == "Password Spraying"  
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml
queryFrequency: 2h
requiredDataConnectors:
- connectorId: AlsidForAD
  dataTypes:
  - AlsidForADLog_CL
name: Alsid Password Spraying
queryPeriod: 2h
severity: High
kind: Scheduled
tactics:
- CredentialAccess
id: 9e20eb4e-cc0d-4349-a99d-cad756859dfb
description: |
    'Searches for Password spraying attacks'
relevantTechniques:
- T1110.003
triggerThreshold: 0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e20eb4e-cc0d-4349-a99d-cad756859dfb')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e20eb4e-cc0d-4349-a99d-cad756859dfb')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Alsid Password Spraying",
        "description": "'Searches for Password spraying attacks'\n",
        "severity": "High",
        "enabled": true,
        "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110.003"
        ],
        "alertRuleTemplateName": "9e20eb4e-cc0d-4349-a99d-cad756859dfb",
        "customDetails": null,
        "entityMappings": null,
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml",
        "status": "Available",
        "templateVersion": "1.0.0"
      }
    }
  ]
}