From 7776ce872468af02a5d291455f0133603de0ee51 Mon Sep 17 00:00:00 2001
From: mvelazco <mauricio.velazco@gmail.com>
Date: Wed, 8 Nov 2023 20:22:18 -0500
Subject: [PATCH] adding new detection

---
 ...ti_source_failed_authentications_spike.yml | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml

diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
new file mode 100644
index 0000000000..bbfd112621
--- /dev/null
+++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
@@ -0,0 +1,64 @@
+name: Azure AD Multi-Source Failed Authentications Spike
+id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7
+version: 1
+date: '2023-11-08'
+author: Mauricio Velazco, Splunk
+status: production
+type: Hunting
+data_source: []
+description: UPDATE_DESCRIPTION
+search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
+ | rename properties.* as * 
+ | bucket span=5m _time 
+ | eval uniqueIPUserCombo = src_ip . "-" . user
+ | stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(location.countryOrRegion) as uniqueCountries values(user) as users, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries by _time
+ | where uniqueIpUserCombinations > 10 AND uniqueUsers > 10 AND uniqueIPs > 10
+ | `azure_ad_multi_source_failed_authentications_spike_filter`'
+how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
+  Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
+  This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
+known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
+- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
+- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
+tags:
+  analytic_story:
+  - Azure Active Directory Account Takeover
+  asset_type: Azure AD 
+  atomic_guid: []
+  confidence: 60
+  impact: 70
+  message: UPDATE message
+  mitre_attack_id:
+  - T1586
+  - T1586.003
+  - T1110
+  - T1110.003
+  - T1110.004
+  observable:
+  - name: src_ip
+    type: IP Address
+    role:
+    - Attacker
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 42
+  required_fields:
+  - _time
+  - category
+  - properties.authenticationDetails{}.succeeded
+  - properties.location.countryOrRegion
+  - user_agent
+  - src_ip
+  - user
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
+    source: Azure AD
+    sourcetype: azure:monitor:aad