Brute force attack against user credentials Uses Authentication Normalization
| Id | a6c435a2-b1a0-466d-b730-9f8af69262e8 |
| Rulename | Brute force attack against user credentials (Uses Authentication Normalization) |
| Description | Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. Note that the query does not enforce any sequence, and does not require the successful authentication to occur last. The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes. To use this analytics rule, make sure you have deployed the ASIM normalization parsers |
| Severity | Medium |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Kind | Scheduled |
| Query frequency | 20m |
| Query period | 20m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml |
| Version | 1.2.5 |
| Arm template | a6c435a2-b1a0-466d-b730-9f8af69262e8.json |
let failureCountThreshold = 10;
let successCountThreshold = 1;
// let authenticationWindow = 20m; // Implicit in the analytic rule query period
imAuthentication
| where TargetUserType != "NonInteractive"
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
IpAddresses = make_set (SrcDvcIpAddr, 100),
ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100),
FailureCount = countif(EventResult=='Failure'),
SuccessCount = countif(EventResult=='Success')
by
TargetUserId, TargetUsername, TargetUserType
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| extend
IpAddresses = strcat_array(IpAddresses, ", "),
ReportedBy = strcat_array(ReportedBy, ", ")
| extend
Name = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 0)[0])
, TargetUsername
),
UPNSuffix = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 1)[0])
, ""
)
relevantTechniques:
- T1110
name: Brute force attack against user credentials (Uses Authentication Normalization)
requiredDataConnectors: []
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: TargetUserName
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
triggerThreshold: 0
id: a6c435a2-b1a0-466d-b730-9f8af69262e8
tactics:
- CredentialAccess
version: 1.2.5
customDetails:
ReportedBy: ReportedBy
IpAddresses: IpAddresses
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml
queryPeriod: 20m
kind: Scheduled
tags:
- Id: 28b42356-45af-40a6-a0b4-a554cdfd5d8a
version: 1.0.0
- Schema: ASIMAuthentication
SchemaVersion: 0.1.0
metadata:
categories:
domains:
- Security - Others
- Identity
author:
name: Ofer Shezaf
support:
tier: Community
source:
kind: Community
queryFrequency: 20m
severity: Medium
description: |
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.
Note that the query does not enforce any sequence, and does not require the successful authentication to occur last.
The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
query: |
let failureCountThreshold = 10;
let successCountThreshold = 1;
// let authenticationWindow = 20m; // Implicit in the analytic rule query period
imAuthentication
| where TargetUserType != "NonInteractive"
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
IpAddresses = make_set (SrcDvcIpAddr, 100),
ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100),
FailureCount = countif(EventResult=='Failure'),
SuccessCount = countif(EventResult=='Success')
by
TargetUserId, TargetUsername, TargetUserType
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| extend
IpAddresses = strcat_array(IpAddresses, ", "),
ReportedBy = strcat_array(ReportedBy, ", ")
| extend
Name = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 0)[0])
, TargetUsername
),
UPNSuffix = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 1)[0])
, ""
)
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a6c435a2-b1a0-466d-b730-9f8af69262e8')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a6c435a2-b1a0-466d-b730-9f8af69262e8')]",
"properties": {
"alertRuleTemplateName": "a6c435a2-b1a0-466d-b730-9f8af69262e8",
"customDetails": {
"IpAddresses": "IpAddresses",
"ReportedBy": "ReportedBy"
},
"description": "'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.\nNote that the query does not enforce any sequence, and does not require the successful authentication to occur last.\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
"displayName": "Brute force attack against user credentials (Uses Authentication Normalization)",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserName",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml",
"query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \nimAuthentication\n| where TargetUserType != \"NonInteractive\"\n| summarize \n StartTime = min(TimeGenerated), \n EndTime = max(TimeGenerated), \n IpAddresses = make_set (SrcDvcIpAddr, 100),\n ReportedBy = make_set (strcat (EventVendor, \"/\", EventProduct), 100),\n FailureCount = countif(EventResult=='Failure'),\n SuccessCount = countif(EventResult=='Success')\n by \n TargetUserId, TargetUsername, TargetUserType \n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| extend\n IpAddresses = strcat_array(IpAddresses, \", \"), \n ReportedBy = strcat_array(ReportedBy, \", \")\n| extend\n Name = iif(\n TargetUsername contains \"@\"\n , tostring(split(TargetUsername, '@', 0)[0])\n , TargetUsername\n ),\n UPNSuffix = iif(\n TargetUsername contains \"@\"\n , tostring(split(TargetUsername, '@', 1)[0])\n , \"\"\n )\n",
"queryFrequency": "PT20M",
"queryPeriod": "PT20M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"tags": [
{
"Id": "28b42356-45af-40a6-a0b4-a554cdfd5d8a",
"version": "1.0.0"
},
{
"Schema": "ASIMAuthentication",
"SchemaVersion": "0.1.0"
}
],
"techniques": [
"T1110"
],
"templateVersion": "1.2.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}