Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Excessive number of HTTP authentication failures from a source ASIM Web Session schema

Back
Ida1bddaf8-982b-4089-ba9e-6590dfcf80ea
RulenameExcessive number of HTTP authentication failures from a source (ASIM Web Session schema)
DescriptionThis rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a brute force or credential stuffing attack.

This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM.
SeverityLow
TacticsPersistence
CredentialAccess
TechniquesT1110
T1556
Required data connectorsSquidProxy
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
Version1.0.5
Arm templatea1bddaf8-982b-4089-ba9e-6590dfcf80ea.json
Deploy To Azure
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])

queryFrequency: 1d
queryPeriod: 1d
tactics:
- Persistence
- CredentialAccess
version: 1.0.5
customDetails:
  NumberOfErrors: NumberOfErrors
query: |
  let error403_count_threshold=200;
  _Im_WebSession(eventresultdetails_in=dynamic(["403"]))
  | extend ParsedUrl=parse_url(Url)
  | extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
  | where NumberOfErrors > error403_count_threshold
  | sort by NumberOfErrors desc
  | extend Url=tostring(Urls[0])  
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: Url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
requiredDataConnectors:
- dataTypes:
  - SquidProxy_CL
  connectorId: SquidProxy
- dataTypes:
  - CommonSecurityLog
  connectorId: Zscaler
tags:
- ParentVersion: 1.1.0
  ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
- Schema: ASIMWebSession
  SchemaVersion: 0.2.1
severity: Low
metadata:
  author:
    name: Yaron
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
alertDetailsOverride:
  alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
  alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
description: |
  This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
  This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
relevantTechniques:
- T1110
- T1556
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.",
          "alertDisplayNameFormat": "Excessive number of HTTP authentication failures from {{SrcIpAddr}"
        },
        "alertRuleTemplateName": "a1bddaf8-982b-4089-ba9e-6590dfcf80ea",
        "customDetails": {
          "NumberOfErrors": "NumberOfErrors"
        },
        "description": "This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\n",
        "displayName": "Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "Url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml",
        "query": "let error403_count_threshold=200;\n_Im_WebSession(eventresultdetails_in=dynamic([\"403\"]))\n| extend ParsedUrl=parse_url(Url)\n| extend UrlHost=tostring(ParsedUrl[\"Host\"]), UrlSchema=tostring(ParsedUrl[\"Schema\"])\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\n| where NumberOfErrors > error403_count_threshold\n| sort by NumberOfErrors desc\n| extend Url=tostring(Urls[0])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml",
            "ParentVersion": "1.1.0"
          },
          {
            "Schema": "ASIMWebSession",
            "SchemaVersion": "0.2.1"
          }
        ],
        "techniques": [
          "T1110",
          "T1556"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}