LoFP / a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.

Techniques

• T1110
• T1110.001
• T1201

Sample rules

AWS High Number Of Failed Authentications For User

• source: splunk
• technicques:
  • T1201

Description

The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=10m _time 
| stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id 
| where failed_attempts > 20 
| `aws_high_number_of_failed_authentications_for_user_filter`

Azure AD High Number Of Failed Authentications For User

• source: splunk
• technicques:
  • T1110
  • T1110.001

Description

The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.

Detection logic

`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
| rename properties.* as * 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user 
| where count > 20 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_high_number_of_failed_authentications_for_user_filter`