Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Brute force attack against user credentials Uses Authentication Normalization

Back
Ida6c435a2-b1a0-466d-b730-9f8af69262e8
RulenameBrute force attack against user credentials (Uses Authentication Normalization)
DescriptionIdentifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.

Note that the query does not enforce any sequence, and does not require the successful authentication to occur last.

The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
KindScheduled
Query frequency20m
Query period20m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml
Version1.2.5
Arm templatea6c435a2-b1a0-466d-b730-9f8af69262e8.json
Deploy To Azure
let failureCountThreshold = 10;
let successCountThreshold = 1;
// let authenticationWindow = 20m; // Implicit in the analytic rule query period 
imAuthentication
| where TargetUserType != "NonInteractive"
| summarize 
      StartTime = min(TimeGenerated), 
      EndTime = max(TimeGenerated), 
      IpAddresses = make_set (SrcDvcIpAddr, 100),
      ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100),
      FailureCount = countif(EventResult=='Failure'),
      SuccessCount = countif(EventResult=='Success')
  by 
      TargetUserId, TargetUsername, TargetUserType 
| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
| extend
      IpAddresses = strcat_array(IpAddresses, ", "), 
      ReportedBy = strcat_array(ReportedBy, ", ")
| extend
  Name = iif(
      TargetUsername contains "@"
          , tostring(split(TargetUsername, '@', 0)[0])
          , TargetUsername
      ),
  UPNSuffix = iif(
      TargetUsername contains "@"
      , tostring(split(TargetUsername, '@', 1)[0])
      , ""
  )
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: TargetUserName
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
queryFrequency: 20m
name: Brute force attack against user credentials (Uses Authentication Normalization)
severity: Medium
kind: Scheduled
tactics:
- CredentialAccess
metadata:
  author:
    name: Ofer Shezaf
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
triggerThreshold: 0
query: |
  let failureCountThreshold = 10;
  let successCountThreshold = 1;
  // let authenticationWindow = 20m; // Implicit in the analytic rule query period 
  imAuthentication
  | where TargetUserType != "NonInteractive"
  | summarize 
        StartTime = min(TimeGenerated), 
        EndTime = max(TimeGenerated), 
        IpAddresses = make_set (SrcDvcIpAddr, 100),
        ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100),
        FailureCount = countif(EventResult=='Failure'),
        SuccessCount = countif(EventResult=='Success')
    by 
        TargetUserId, TargetUsername, TargetUserType 
  | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold
  | extend
        IpAddresses = strcat_array(IpAddresses, ", "), 
        ReportedBy = strcat_array(ReportedBy, ", ")
  | extend
    Name = iif(
        TargetUsername contains "@"
            , tostring(split(TargetUsername, '@', 0)[0])
            , TargetUsername
        ),
    UPNSuffix = iif(
        TargetUsername contains "@"
        , tostring(split(TargetUsername, '@', 1)[0])
        , ""
    )  
triggerOperator: gt
customDetails:
  IpAddresses: IpAddresses
  ReportedBy: ReportedBy
queryPeriod: 20m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml
relevantTechniques:
- T1110
tags:
- version: 1.0.0
  Id: 28b42356-45af-40a6-a0b4-a554cdfd5d8a
- SchemaVersion: 0.1.0
  Schema: ASIMAuthentication
id: a6c435a2-b1a0-466d-b730-9f8af69262e8
requiredDataConnectors: []
version: 1.2.5
description: |
  'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.
  Note that the query does not enforce any sequence, and does not require the successful authentication to occur last.
  The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a6c435a2-b1a0-466d-b730-9f8af69262e8')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a6c435a2-b1a0-466d-b730-9f8af69262e8')]",
      "properties": {
        "alertRuleTemplateName": "a6c435a2-b1a0-466d-b730-9f8af69262e8",
        "customDetails": {
          "IpAddresses": "IpAddresses",
          "ReportedBy": "ReportedBy"
        },
        "description": "'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window.\nNote that the query does not enforce any sequence, and does not require the successful authentication to occur last.\nThe default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
        "displayName": "Brute force attack against user credentials (Uses Authentication Normalization)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUserName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imAuthBruteForce.yaml",
        "query": "let failureCountThreshold = 10;\nlet successCountThreshold = 1;\n// let authenticationWindow = 20m; // Implicit in the analytic rule query period \nimAuthentication\n| where TargetUserType != \"NonInteractive\"\n| summarize \n      StartTime = min(TimeGenerated), \n      EndTime = max(TimeGenerated), \n      IpAddresses = make_set (SrcDvcIpAddr, 100),\n      ReportedBy = make_set (strcat (EventVendor, \"/\", EventProduct), 100),\n      FailureCount = countif(EventResult=='Failure'),\n      SuccessCount = countif(EventResult=='Success')\n  by \n      TargetUserId, TargetUsername, TargetUserType \n| where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold\n| extend\n      IpAddresses = strcat_array(IpAddresses, \", \"), \n      ReportedBy = strcat_array(ReportedBy, \", \")\n| extend\n  Name = iif(\n      TargetUsername contains \"@\"\n          , tostring(split(TargetUsername, '@', 0)[0])\n          , TargetUsername\n      ),\n  UPNSuffix = iif(\n      TargetUsername contains \"@\"\n      , tostring(split(TargetUsername, '@', 1)[0])\n      , \"\"\n  )\n",
        "queryFrequency": "PT20M",
        "queryPeriod": "PT20M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "tags": [
          {
            "Id": "28b42356-45af-40a6-a0b4-a554cdfd5d8a",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMAuthentication",
            "SchemaVersion": "0.1.0"
          }
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.2.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}