Potential Password Spray Attack
| Id | e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508 |
| Rulename | Potential Password Spray Attack |
| Description | This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack. |
| Severity | Medium |
| Tactics | CredentialAccess |
| Techniques | T1110.003 |
| Required data connectors | OktaSSO OktaSSOv2 |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml |
| Version | 1.1.1 |
| Arm template | e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508.json |
let FailureThreshold = 15;
let FailedEvents = OktaSSO
| where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)
| where dcount_actor_alternateId_s > FailureThreshold
| project client_ipAddress_s, TimeGenerated;
OktaSSO
| where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m)
| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated
| sort by TimeGenerated desc
query: |
let FailureThreshold = 15;
let FailedEvents = OktaSSO
| where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)
| where dcount_actor_alternateId_s > FailureThreshold
| project client_ipAddress_s, TimeGenerated;
OktaSSO
| where eventType_s =~ "user.session.start"and outcome_reason_s in ("VERIFICATION_ERROR","INVALID_CREDENTIALS")
| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), bin(TimeGenerated, 5m)
| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated
| sort by TimeGenerated desc
description: |
'This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack.'
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
entityMappings:
- entityType: IP
fieldMappings:
- columnName: client_ipAddress_s
identifier: Address
name: Potential Password Spray Attack
status: Available
id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
tactics:
- CredentialAccess
kind: Scheduled
requiredDataConnectors:
- connectorId: OktaSSO
dataTypes:
- Okta_CL
- connectorId: OktaSSOv2
dataTypes:
- OktaSSO
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/PasswordSpray.yaml
version: 1.1.1
severity: Medium
relevantTechniques:
- T1110.003