-
Notifications
You must be signed in to change notification settings - Fork 359
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
64 additions
and
0 deletions.
There are no files selected for viewing
64 changes: 64 additions & 0 deletions
64
detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Azure AD Multi-Source Failed Authentications Spike | ||
id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7 | ||
version: 1 | ||
date: '2023-11-08' | ||
author: Mauricio Velazco, Splunk | ||
status: production | ||
type: Hunting | ||
data_source: [] | ||
description: UPDATE_DESCRIPTION | ||
search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | ||
| rename properties.* as * | ||
| bucket span=5m _time | ||
| eval uniqueIPUserCombo = src_ip . "-" . user | ||
| stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(location.countryOrRegion) as uniqueCountries values(user) as users, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries by _time | ||
| where uniqueIpUserCombinations > 10 AND uniqueUsers > 10 AND uniqueIPs > 10 | ||
| `azure_ad_multi_source_failed_authentications_spike_filter`' | ||
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft | ||
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. | ||
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category. | ||
known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES | ||
references: | ||
- https://attack.mitre.org/techniques/T1110/003/ | ||
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray | ||
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a | ||
- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes | ||
tags: | ||
analytic_story: | ||
- Azure Active Directory Account Takeover | ||
asset_type: Azure AD | ||
atomic_guid: [] | ||
confidence: 60 | ||
impact: 70 | ||
message: UPDATE message | ||
mitre_attack_id: | ||
- T1586 | ||
- T1586.003 | ||
- T1110 | ||
- T1110.003 | ||
- T1110.004 | ||
observable: | ||
- name: src_ip | ||
type: IP Address | ||
role: | ||
- Attacker | ||
product: | ||
- Splunk Enterprise | ||
- Splunk Enterprise Security | ||
- Splunk Cloud | ||
risk_score: 42 | ||
required_fields: | ||
- _time | ||
- category | ||
- properties.authenticationDetails{}.succeeded | ||
- properties.location.countryOrRegion | ||
- user_agent | ||
- src_ip | ||
- user | ||
security_domain: identity | ||
tests: | ||
- name: True Positive Test | ||
attack_data: | ||
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log | ||
source: Azure AD | ||
sourcetype: azure:monitor:aad |