Alsid Password Spraying

Back


Id	9e20eb4e-cc0d-4349-a99d-cad756859dfb
Rulename	Alsid Password Spraying
Description	Searches for Password spraying attacks
Severity	High
Tactics	CredentialAccess
Techniques	T1110.003
Required data connectors	AlsidForAD
Kind	Scheduled
Query frequency	2h
Query period	2h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml
Version	1.0.1
Arm template	9e20eb4e-cc0d-4349-a99d-cad756859dfb.json

KQL

afad_parser
| where MessageType == 2 and Codename == "Password Spraying"
| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))

YAML

kind: Scheduled
id: 9e20eb4e-cc0d-4349-a99d-cad756859dfb
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
name: Alsid Password Spraying
severity: High
triggerOperator: gt
tactics:
- CredentialAccess
query: |
  afad_parser
  | where MessageType == 2 and Codename == "Password Spraying"
  | extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))  
triggerThreshold: 0
status: Available
description: |
    'Searches for Password spraying attacks'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml
queryFrequency: 2h
queryPeriod: 2h
relevantTechniques:
- T1110.003
requiredDataConnectors:
- connectorId: AlsidForAD
  dataTypes:
  - AlsidForADLog_CL
version: 1.0.1

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9e20eb4e-cc0d-4349-a99d-cad756859dfb')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9e20eb4e-cc0d-4349-a99d-cad756859dfb')]",
      "properties": {
        "alertRuleTemplateName": "9e20eb4e-cc0d-4349-a99d-cad756859dfb",
        "customDetails": null,
        "description": "'Searches for Password spraying attacks'\n",
        "displayName": "Alsid Password Spraying",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Alsid For AD/Analytic Rules/PasswordSpraying.yaml",
        "query": "afad_parser\n| where MessageType == 2 and Codename == \"Password Spraying\"\n| extend HostName = tostring(split(Host, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Host, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [
          "T1110.003"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}