Sample rules
AWS High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110
- T1110.003
- T1110.004
Description
The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.
Detection logic
`cloudtrail` eventName=ConsoleLogin action=failure
| bucket span=5m _time
| stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id
| where failed_attempts > 20
| `aws_high_number_of_failed_authentications_from_ip_filter`
Azure AD High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110
- T1110.001
- T1110.003
Description
The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.
Detection logic
`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=10m _time
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`
Sample rules
AWS High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110
- T1110.003
- T1110.004
Description
The following analytic identifies an IP address failing to authenticate 20 or more times to the AWS Web Console in the span of 5 minutes. This behavior could represent a brute force attack against an AWS tenant to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.
Detection logic
`cloudtrail` eventName=ConsoleLogin action=failure
| bucket span=5m _time
| stats dc(_raw) AS failed_attempts values(user_name) as tried_accounts values(user_agent) by _time, src_ip, eventName, eventSource aws_account_id
| where failed_attempts > 20
| `aws_high_number_of_failed_authentications_from_ip_filter`
Azure AD High Number Of Failed Authentications From Ip
- source: splunk
- technicques:
- T1110
- T1110.001
- T1110.003
Description
The following analytic identifies an Ip address failing to authenticate 20 or more times to an Azure AD tenant in the span of 10 minutes. This behavior could represent a brute force attack againstan Azure AD to obtain initial access or elevate privileges. As environments differ across organizations, security teams should customize the threshold of this detection.
Detection logic
`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=10m _time
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`
High Number of Login Failures from a single source
- source: splunk
- technicques:
- T1110.001
- T1110
Description
This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon
| bucket span=5m _time
| stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip
| where failed_attempts > 10
| `high_number_of_login_failures_from_a_single_source_filter`