LoFP / a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.

Techniques

• T1110
• T1110.001
• T1201

Sample rules

AWS High Number Of Failed Authentications For User

• source: splunk
• technicques:
  • T1201

Description

The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.

Detection logic

`cloudtrail` eventName=ConsoleLogin action=failure 
| bucket span=10m _time 
| stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id 
| where failed_attempts > 20 
| `aws_high_number_of_failed_authentications_for_user_filter`

Azure AD High Number Of Failed Authentications For User

• source: splunk
• technicques:
  • T1110
  • T1110.001

Description

The following analytic identifies an Azure AD account with more than 20 failed authentication events in the span of 10 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.

Detection logic

 `azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
| rename properties.* as * 
| bucket span=10m _time 
| stats count min(_time) as firstTime max(_time) as lastTime values(src_ip) as src_ip by user 
| where count > 20 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_high_number_of_failed_authentications_for_user_filter`