LoFP / a user with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.

• T1201

Sample rules

Azure AD High Number Of Failed Authentications For User

• source: splunk
• technicques:
  • T1110.001

Description

The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.

Detection logic

`azure_monitor_aad`
category=SignInLogs
properties.status.errorCode=50126
properties.authenticationDetails{}.succeeded=false

| rename properties.* as *

| bin span=10m _time

| fillnull value=null

| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product

| where count > 20

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `azure_ad_high_number_of_failed_authentications_for_user_filter`

AWS High Number Of Failed Authentications For User

• source: splunk
• technicques:
  • T1201

Description

The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=10m _time 
| rename user_name as user 
| stats dc(_raw) AS failed_attempts values(src) as src values(user_agent) as user_agent by _time, user, signature, dest, vendor_account vendor_region, vendor_product 
| where failed_attempts > 20 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_high_number_of_failed_authentications_for_user_filter`