Techniques
Sample rules
AWS High Number Of Failed Authentications For User
- source: splunk
- technicques:
- T1201
Description
The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.
Detection logic
`cloudtrail` eventName=ConsoleLogin action=failure
| bucket span=10m _time
| stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id
| where failed_attempts > 20
| `aws_high_number_of_failed_authentications_for_user_filter`
Azure AD High Number Of Failed Authentications For User
- source: splunk
- technicques:
- T1110
- T1110.001
Description
The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.
Detection logic
`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=10m _time
| stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_for_user_filter`