Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SecurityEvent - Multiple authentication failures followed by a success

SecurityEvent - Multiple authentication failures followed by a success

Back
Idcf3ede88-a429-493b-9108-3e46d3c741f7
RulenameSecurityEvent - Multiple authentication failures followed by a success
DescriptionIdentifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.

The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency2h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/MultipleFailedFollowedBySuccess.yaml
Version1.0.7
Arm templatecf3ede88-a429-493b-9108-3e46d3c741f7.json
Deploy To Azure
let timeRange = 2h;
let authenticationWindow = 1h;
let authenticationThreshold = 5;
SecurityEvent
| where TimeGenerated > ago(timeRange)
| where EventID in (4624, 4625)
| where IpAddress != "-" and isnotempty(Account)
| extend Outcome = iff(EventID == 4624, "Success", "Failure")
// bin outcomes into 10 minute windows to reduce the volume of data
| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome
| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount
// sort ready for sessionizing - by account and time of the authentication outcome
| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount
| serialize
// sessionize into failure groupings until either the account changes or there is a success
| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")
// count the failures in each session
| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
// the session must not start with a success, and must end with one
| where array_index_of(list_Outcome, "Success") != 0
| where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1
| project-away SessionStartedUtc, list_Outcome
// where the number of failures before the success is above the threshold
| where FailureCountBeforeSuccess >= authenticationThreshold
// expand out ip and computer for customer entity assignment
| mv-expand set_IpAddress, set_Computer
| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)
| extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

id: cf3ede88-a429-493b-9108-3e46d3c741f7
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: Name
  - identifier: NTDomain
    columnName: NTDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: IpAddress
  entityType: IP
query: |
  let timeRange = 2h;
  let authenticationWindow = 1h;
  let authenticationThreshold = 5;
  SecurityEvent
  | where TimeGenerated > ago(timeRange)
  | where EventID in (4624, 4625)
  | where IpAddress != "-" and isnotempty(Account)
  | extend Outcome = iff(EventID == 4624, "Success", "Failure")
  // bin outcomes into 10 minute windows to reduce the volume of data
  | summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome
  | project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount
  // sort ready for sessionizing - by account and time of the authentication outcome
  | sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount
  | serialize
  // sessionize into failure groupings until either the account changes or there is a success
  | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")
  // count the failures in each session
  | summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
  // the session must not start with a success, and must end with one
  | where array_index_of(list_Outcome, "Success") != 0
  | where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1
  | project-away SessionStartedUtc, list_Outcome
  // where the number of failures before the success is above the threshold
  | where FailureCountBeforeSuccess >= authenticationThreshold
  // expand out ip and computer for customer entity assignment
  | mv-expand set_IpAddress, set_Computer
  | extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)
  | extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
triggerThreshold: 0
kind: Scheduled
severity: Low
queryPeriod: 2h
tactics:
- CredentialAccess
queryFrequency: 2h
status: Available
relevantTechniques:
- T1110
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/MultipleFailedFollowedBySuccess.yaml
description: |
  'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.
  The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.'  
name: SecurityEvent - Multiple authentication failures followed by a success
version: 1.0.7