/
MultipleFailedFollowedBySuccess.yaml
77 lines (77 loc) · 3.64 KB
/
MultipleFailedFollowedBySuccess.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
id: cf3ede88-a429-493b-9108-3e46d3c741f7
name: SecurityEvent - Multiple authentication failures followed by a success
description: |
'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication
within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or
possible mis-configuration of a service account within an environment.
The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum
of 5 failures followed by a success for an account within 1 hour to surface an alert.'
severity: Low
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: WindowsSecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- CredentialAccess
relevantTechniques:
- T1110
query: |
let timeRange = 2h;
let authenticationWindow = 1h;
let authenticationThreshold = 5;
SecurityEvent
| where TimeGenerated > ago(timeRange)
| where EventID in (4624, 4625)
| where IpAddress != "-" and isnotempty(Account)
| extend Outcome = iff(EventID == 4624, "Success", "Failure")
// bin outcomes into 10 minute windows to reduce the volume of data
| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome
| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount
// sort ready for sessionizing - by account and time of the authentication outcome
| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount
| serialize
// sessionize into failure groupings until either the account changes or there is a success
| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")
// count the failures in each session
| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
// the session must not start with a success, and must end with one
| where array_index_of(list_Outcome, "Success") != 0
| where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1
| project-away SessionStartedUtc, list_Outcome
// where the number of failures before the success is above the threshold
| where FailureCountBeforeSuccess >= authenticationThreshold
// expand out ip and computer for customer entity assignment
| mv-expand set_IpAddress, set_Computer
| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)
| extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Account
- identifier: Name
columnName: Name
- identifier: NTDomain
columnName: NTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: DnsDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IpAddress
version: 1.0.6
kind: Scheduled