Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SecurityEvent - Multiple authentication failures followed by a success

Back
Idcf3ede88-a429-493b-9108-3e46d3c741f7
RulenameSecurityEvent - Multiple authentication failures followed by a success
DescriptionIdentifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.

The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency2h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/MultipleFailedFollowedBySuccess.yaml
Version1.0.7
Arm templatecf3ede88-a429-493b-9108-3e46d3c741f7.json
Deploy To Azure
let timeRange = 2h;
let authenticationWindow = 1h;
let authenticationThreshold = 5;
SecurityEvent
| where TimeGenerated > ago(timeRange)
| where EventID in (4624, 4625)
| where IpAddress != "-" and isnotempty(Account)
| extend Outcome = iff(EventID == 4624, "Success", "Failure")
// bin outcomes into 10 minute windows to reduce the volume of data
| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome
| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount
// sort ready for sessionizing - by account and time of the authentication outcome
| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount
| serialize
// sessionize into failure groupings until either the account changes or there is a success
| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")
// count the failures in each session
| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
// the session must not start with a success, and must end with one
| where array_index_of(list_Outcome, "Success") != 0
| where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1
| project-away SessionStartedUtc, list_Outcome
// where the number of failures before the success is above the threshold
| where FailureCountBeforeSuccess >= authenticationThreshold
// expand out ip and computer for customer entity assignment
| mv-expand set_IpAddress, set_Computer
| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)
| extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: Name
  - identifier: NTDomain
    columnName: NTDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpAddress
queryFrequency: 2h
name: SecurityEvent - Multiple authentication failures followed by a success
severity: Low
kind: Scheduled
tactics:
- CredentialAccess
triggerThreshold: 0
query: |
  let timeRange = 2h;
  let authenticationWindow = 1h;
  let authenticationThreshold = 5;
  SecurityEvent
  | where TimeGenerated > ago(timeRange)
  | where EventID in (4624, 4625)
  | where IpAddress != "-" and isnotempty(Account)
  | extend Outcome = iff(EventID == 4624, "Success", "Failure")
  // bin outcomes into 10 minute windows to reduce the volume of data
  | summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome
  | project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount
  // sort ready for sessionizing - by account and time of the authentication outcome
  | sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount
  | serialize
  // sessionize into failure groupings until either the account changes or there is a success
  | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")
  // count the failures in each session
  | summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
  // the session must not start with a success, and must end with one
  | where array_index_of(list_Outcome, "Success") != 0
  | where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1
  | project-away SessionStartedUtc, list_Outcome
  // where the number of failures before the success is above the threshold
  | where FailureCountBeforeSuccess >= authenticationThreshold
  // expand out ip and computer for customer entity assignment
  | mv-expand set_IpAddress, set_Computer
  | extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)
  | extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
triggerOperator: gt
queryPeriod: 2h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/MultipleFailedFollowedBySuccess.yaml
relevantTechniques:
- T1110
status: Available
id: cf3ede88-a429-493b-9108-3e46d3c741f7
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
version: 1.0.7
description: |
  'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.
  The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cf3ede88-a429-493b-9108-3e46d3c741f7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cf3ede88-a429-493b-9108-3e46d3c741f7')]",
      "properties": {
        "alertRuleTemplateName": "cf3ede88-a429-493b-9108-3e46d3c741f7",
        "customDetails": null,
        "description": "'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.\nThe lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.'\n",
        "displayName": "SecurityEvent - Multiple authentication failures followed by a success",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "NTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "DnsDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/MultipleFailedFollowedBySuccess.yaml",
        "query": "let timeRange = 2h;\nlet authenticationWindow = 1h;\nlet authenticationThreshold = 5;\nSecurityEvent\n| where TimeGenerated > ago(timeRange)\n| where EventID in (4624, 4625)\n| where IpAddress != \"-\" and isnotempty(Account)\n| extend Outcome = iff(EventID == 4624, \"Success\", \"Failure\")\n// bin outcomes into 10 minute windows to reduce the volume of data\n| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome\n| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount\n// sort ready for sessionizing - by account and time of the authentication outcome\n| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount\n| serialize\n// sessionize into failure groupings until either the account changes or there is a success\n| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == \"Success\")\n// count the failures in each session\n| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == \"Failure\"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account\n// the session must not start with a success, and must end with one\n| where array_index_of(list_Outcome, \"Success\") != 0\n| where array_index_of(list_Outcome, \"Success\") == array_length(list_Outcome) - 1\n| project-away SessionStartedUtc, list_Outcome\n// where the number of failures before the success is above the threshold\n| where FailureCountBeforeSuccess >= authenticationThreshold\n// expand out ip and computer for customer entity assignment\n| mv-expand set_IpAddress, set_Computer\n| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)\n| extend timestamp=StartTime, NTDomain = split(Account, '\\\\', 0)[0], Name = split(Account, '\\\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n",
        "queryFrequency": "PT2H",
        "queryPeriod": "PT2H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}