Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Back
Ida1bddaf8-982b-4089-ba9e-6590dfcf80ea
RulenameExcessive number of HTTP authentication failures from a source (ASIM Web Session schema)
DescriptionThis rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a brute force or credential stuffing attack.

This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.
SeverityLow
TacticsPersistence
CredentialAccess
TechniquesT1110
T1556
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
Version1.0.5
Arm templatea1bddaf8-982b-4089-ba9e-6590dfcf80ea.json
Deploy To Azure
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])

requiredDataConnectors:
- connectorId: SquidProxy
  dataTypes:
  - SquidProxy_CL
- connectorId: Zscaler
  dataTypes:
  - CommonSecurityLog
query: |
  let error403_count_threshold=200;
  _Im_WebSession(eventresultdetails_in=dynamic(["403"]))
  | extend ParsedUrl=parse_url(Url)
  | extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
  | where NumberOfErrors > error403_count_threshold
  | sort by NumberOfErrors desc
  | extend Url=tostring(Urls[0])  
description: |
  This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
  This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.  
kind: Scheduled
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
relevantTechniques:
- T1110
- T1556
entityMappings:
- fieldMappings:
  - identifier: Url
    columnName: Url
  entityType: URL
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
queryFrequency: 1d
version: 1.0.5
tags:
- ParentVersion: 1.1.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
- SchemaVersion: 0.2.1
  Schema: ASIMWebSession
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
metadata:
  source:
    kind: Community
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Yaron
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
  alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
tactics:
- Persistence
- CredentialAccess
queryPeriod: 1d
triggerOperator: gt
customDetails:
  NumberOfErrors: NumberOfErrors
severity: Low

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.",
          "alertDisplayNameFormat": "Excessive number of HTTP authentication failures from {{SrcIpAddr}"
        },
        "alertRuleTemplateName": "a1bddaf8-982b-4089-ba9e-6590dfcf80ea",
        "customDetails": {
          "NumberOfErrors": "NumberOfErrors"
        },
        "description": "This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\n",
        "displayName": "Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml",
        "query": "let error403_count_threshold=200;\n_Im_WebSession(eventresultdetails_in=dynamic([\"403\"]))\n| extend ParsedUrl=parse_url(Url)\n| extend UrlHost=tostring(ParsedUrl[\"Host\"]), UrlSchema=tostring(ParsedUrl[\"Schema\"])\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\n| where NumberOfErrors > error403_count_threshold\n| sort by NumberOfErrors desc\n| extend Url=tostring(Urls[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml",
            "ParentVersion": "1.1.0"
          },
          {
            "Schema": "ASIMWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}