Sample rules
High Number of Login Failures from a single source
- source: splunk
- technicques:
- T1110.001
Description
The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon
| bucket span=5m _time
| stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent values(dest) as dest values(vendor_account) as vendor_account values(vendor_product) as vendor_product by _time, src_ip
| where failed_attempts > 10
| `high_number_of_login_failures_from_a_single_source_filter`
Azure AD High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110.001
- T1110.003
Description
The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.
Detection logic
`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=10m _time
| rename properties.userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user) as user values(user_agent) as user_agent by src _time vendor_account vendor_product
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`
Sample rules
High Number of Login Failures from a single source
- source: splunk
- technicques:
- T1110.001
Description
The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon
| bucket span=5m _time
| stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent values(dest) as dest values(vendor_account) as vendor_account values(vendor_product) as vendor_product by _time, src_ip
| where failed_attempts > 10
| `high_number_of_login_failures_from_a_single_source_filter`
Azure AD High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110.001
- T1110.003
Description
The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.
Detection logic
`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=10m _time
| rename properties.userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user) as user values(user_agent) as user_agent by src _time vendor_account vendor_product
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`
AWS High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110.003
- T1110.004
Description
The following analytic detects an IP address with 20 or more failed authentication attempts to the AWS Web Console within a 5-minute window. This detection leverages CloudTrail logs, aggregating failed login events by IP address and time span. This activity is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges within an AWS environment. If confirmed malicious, this could lead to unauthorized access, data breaches, or further exploitation of AWS resources.
Detection logic
`cloudtrail` eventName=ConsoleLogin action=failure
| bucket span=10m _time
| rename user_name as user
| stats dc(_raw) AS failed_attempts values(user) as user values(user_agent) as user_agent by _time, src, signature, dest, vendor_account vendor_region, vendor_product
| where failed_attempts > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `aws_high_number_of_failed_authentications_from_ip_filter`