Password spray attack against Microsoft Entra ID Seamless SSO

let account_threshold = 5;
AADNonInteractiveUserSignInLogs
//| where ResultType == "81016"
| where ResultType startswith "81"
| summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType
| where DistinctAccounts > account_threshold
| mv-expand IPAddress = DistinctAddresses
| extend IPAddress = tostring(IPAddress)
| join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress
| summarize
    StartTime = min(TimeGenerated),
    EndTime = max(TimeGenerated),
    UserPrincipalName = make_set(UserPrincipalName,100),
    UserAgent = make_set(UserAgent,100),
    ResultDescription = take_any(ResultDescription),
    ResultSignature = take_any(ResultSignature)
    by IPAddress, Type, ResultType
| project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)
| extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])

status: Available
relevantTechniques:
- T1110
id: fb7ca1c9-e14c-40a3-856e-28f3c14ea1ba
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SeamlessSSOPasswordSpray.yaml
requiredDataConnectors:
- dataTypes:
  - AADNonInteractiveUserSignInLogs
  connectorId: AzureActiveDirectory
version: 1.0.4
severity: Medium
triggerThreshold: 0
name: Password spray attack against Microsoft Entra ID Seamless SSO
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPAddress
  entityType: IP
queryFrequency: 1h
query: |
  let account_threshold = 5;
  AADNonInteractiveUserSignInLogs
  //| where ResultType == "81016"
  | where ResultType startswith "81"
  | summarize DistinctAccounts = dcount(UserPrincipalName), DistinctAddresses = make_set(IPAddress,100) by ResultType
  | where DistinctAccounts > account_threshold
  | mv-expand IPAddress = DistinctAddresses
  | extend IPAddress = tostring(IPAddress)
  | join kind=leftouter (union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs) on IPAddress
  | summarize
      StartTime = min(TimeGenerated),
      EndTime = max(TimeGenerated),
      UserPrincipalName = make_set(UserPrincipalName,100),
      UserAgent = make_set(UserAgent,100),
      ResultDescription = take_any(ResultDescription),
      ResultSignature = take_any(ResultSignature)
      by IPAddress, Type, ResultType
  | project Type, StartTime, EndTime, IPAddress, ResultType, ResultDescription, ResultSignature, UserPrincipalName, UserAgent = iff(array_length(UserAgent) == 1, UserAgent[0], UserAgent)
  | extend Name = tostring(split(UserPrincipalName[0],'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName[0],'@',1)[0])  
tactics:
- CredentialAccess
kind: Scheduled
description: |
  'This query detects when there is a spike in Microsoft Entra ID Seamless SSO errors. They may not be caused by a Password Spray attack, but the cause of the errors might need to be investigated.
  Microsoft Entra ID only logs the requests that matched existing accounts, thus there might have been unlogged requests for non-existing accounts.'  
triggerOperator: gt