Excessive number of HTTP authentication failures from a source ASIM Web Session schema
Id | a1bddaf8-982b-4089-ba9e-6590dfcf80ea |
Rulename | Excessive number of HTTP authentication failures from a source (ASIM Web Session schema) |
Description | This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a brute force or credential stuffing attack. This rule uses the Advanced Security Information Model (ASIM) and supports any web session source that complies with ASIM. |
Severity | Low |
Tactics | Persistence CredentialAccess |
Techniques | T1110 T1556 |
Required data connectors | SquidProxy Zscaler |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml |
Version | 1.0.5 |
Arm template | a1bddaf8-982b-4089-ba9e-6590dfcf80ea.json |
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
queryFrequency: 1d
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
severity: Low
kind: Scheduled
tactics:
- Persistence
- CredentialAccess
metadata:
author:
name: Yaron
source:
kind: Community
categories:
domains:
- Security - Others
support:
tier: Community
triggerThreshold: 0
query: |
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])
triggerOperator: gt
customDetails:
NumberOfErrors: NumberOfErrors
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml
relevantTechniques:
- T1110
- T1556
tags:
- ParentVersion: 1.1.0
ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
- SchemaVersion: 0.2.1
Schema: ASIMWebSession
alertDetailsOverride:
alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
version: 1.0.5
description: |
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a1bddaf8-982b-4089-ba9e-6590dfcf80ea')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.",
"alertDisplayNameFormat": "Excessive number of HTTP authentication failures from {{SrcIpAddr}"
},
"alertRuleTemplateName": "a1bddaf8-982b-4089-ba9e-6590dfcf80ea",
"customDetails": {
"NumberOfErrors": "NumberOfErrors"
},
"description": "This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.\nThis rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutSIM) and supports any web session source that complies with ASIM.\n",
"displayName": "Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)",
"enabled": true,
"entityMappings": [
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "Url",
"identifier": "Url"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimWebSession/ExcessiveNetworkFailuresFromSource.yaml",
"query": "let error403_count_threshold=200;\n_Im_WebSession(eventresultdetails_in=dynamic([\"403\"]))\n| extend ParsedUrl=parse_url(Url)\n| extend UrlHost=tostring(ParsedUrl[\"Host\"]), UrlSchema=tostring(ParsedUrl[\"Schema\"])\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr\n| where NumberOfErrors > error403_count_threshold\n| sort by NumberOfErrors desc\n| extend Url=tostring(Urls[0])\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Low",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess",
"Persistence"
],
"tags": [
{
"ParentAlert": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml",
"ParentVersion": "1.1.0"
},
{
"Schema": "ASIMWebSession",
"SchemaVersion": "0.2.1"
}
],
"techniques": [
"T1110",
"T1556"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}