Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Back
Ida1bddaf8-982b-4089-ba9e-6590dfcf80ea
RulenameExcessive number of HTTP authentication failures from a source (ASIM Web Session schema)
DescriptionThis rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a brute force or credential stuffing attack.

This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.
SeverityLow
TacticsPersistence
CredentialAccess
TechniquesT1110
T1556
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
Version1.0.5
Arm templatea1bddaf8-982b-4089-ba9e-6590dfcf80ea.json
Deploy To Azure
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
customDetails:
  NumberOfErrors: NumberOfErrors
metadata:
  categories:
    domains:
    - Security - Others
  author:
    name: Yaron
  source:
    kind: Community
  support:
    tier: Community
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
query: |
  let error403_count_threshold=200;
  _Im_WebSession(eventresultdetails_in=dynamic(["403"]))
  | extend ParsedUrl=parse_url(Url)
  | extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
  | where NumberOfErrors > error403_count_threshold
  | sort by NumberOfErrors desc
  | extend Url=tostring(Urls[0])  
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
  ParentVersion: 1.1.0
- SchemaVersion: 0.2.1
  Schema: ASIMWebSession
description: |
  This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
  This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.  
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
relevantTechniques:
- T1110
- T1556
entityMappings:
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: Url
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
alertDetailsOverride:
  alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
  alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
queryFrequency: 1d
queryPeriod: 1d
version: 1.0.5
kind: Scheduled
tactics:
- Persistence
- CredentialAccess
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.",
          "alertDisplayNameFormat": "Excessive number of HTTP authentication failures from {{SrcIpAddr}"
        },
        "alertRuleTemplateName": "a1bddaf8-982b-4089-ba9e-6590dfcf80ea",
        "customDetails": {
          "NumberOfErrors": "NumberOfErrors"
        },
        "description": "This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\n",
        "displayName": "Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml",
        "query": "let error403_count_threshold=200;\n_Im_WebSession(eventresultdetails_in=dynamic([\"403\"]))\n| extend ParsedUrl=parse_url(Url)\n| extend UrlHost=tostring(ParsedUrl[\"Host\"]), UrlSchema=tostring(ParsedUrl[\"Schema\"])\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\n| where NumberOfErrors > error403_count_threshold\n| sort by NumberOfErrors desc\n| extend Url=tostring(Urls[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml",
            "ParentVersion": "1.1.0"
          },
          {
            "Schema": "ASIMWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}