Brute force attack against user credentials Uses Authentication Normalization

let failureCountThreshold = 10;
let successCountThreshold = 1;
// let authenticationWindow = 20m; // Implicit in the analytic rule query period 
imAuthentication
| where TargetUserType != "NonInteractive"
| summarize 
      StartTime = min(TimeGenerated), 
      EndTime = max(TimeGenerated), 
      IpAddresses = make_set (SrcDvcIpAddr, 100),
      ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100),
      FailureCount = countif(EventResult=='Failure'),
      SuccessCount = countif(EventResult=='Success')
  by 
      TargetUserId, TargetUsername, TargetUserType 
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| extend
      IpAddresses = strcat_array(IpAddresses, ", "), 
      ReportedBy = strcat_array(ReportedBy, ", ")
| extend
  Name = iif(
      TargetUsername contains "@"
          , tostring(split(TargetUsername, '@', 0)[0])
          , TargetUsername
      ),
  UPNSuffix = iif(
      TargetUsername contains "@"
      , tostring(split(TargetUsername, '@', 1)[0])
      , ""
  )

relevantTechniques:
- T1110
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: TargetUserName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
version: 1.2.5
id: a6c435a2-b1a0-466d-b730-9f8af69262e8
severity: Medium
kind: Scheduled
queryFrequency: 20m
description: |
  'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.
  Note that the query does not enforce any sequence, and does not require the successful authentication to occur last.
  The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
metadata:
  source:
    kind: Community
  support:
    tier: Community
  author:
    name: Ofer Shezaf
  categories:
    domains:
    - Security - Others
    - Identity
requiredDataConnectors: []
triggerOperator: gt
name: Brute force attack against user credentials (Uses Authentication Normalization)
tactics:
- CredentialAccess
tags:
- version: 1.0.0
  Id: 28b42356-45af-40a6-a0b4-a554cdfd5d8a
- Schema: ASIMAuthentication
  SchemaVersion: 0.1.0
triggerThreshold: 0
queryPeriod: 20m
query: |
  let failureCountThreshold = 10;
  let successCountThreshold = 1;
  // let authenticationWindow = 20m; // Implicit in the analytic rule query period 
  imAuthentication
  | where TargetUserType != "NonInteractive"
  | summarize 
        StartTime = min(TimeGenerated), 
        EndTime = max(TimeGenerated), 
        IpAddresses = make_set (SrcDvcIpAddr, 100),
        ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100),
        FailureCount = countif(EventResult=='Failure'),
        SuccessCount = countif(EventResult=='Success')
    by 
        TargetUserId, TargetUsername, TargetUserType 
  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
  | extend
        IpAddresses = strcat_array(IpAddresses, ", "), 
        ReportedBy = strcat_array(ReportedBy, ", ")
  | extend
    Name = iif(
        TargetUsername contains "@"
            , tostring(split(TargetUsername, '@', 0)[0])
            , TargetUsername
        ),
    UPNSuffix = iif(
        TargetUsername contains "@"
        , tostring(split(TargetUsername, '@', 1)[0])
        , ""
    )  
customDetails:
  IpAddresses: IpAddresses
  ReportedBy: ReportedBy
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml