Skip to content

Commit

Permalink
adding new detection
Browse files Browse the repository at this point in the history
  • Loading branch information
mvelazc0 committed Nov 9, 2023
1 parent f77422a commit 7776ce8
Showing 1 changed file with 64 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Azure AD Multi-Source Failed Authentications Spike
id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7
version: 1
date: '2023-11-08'
author: Mauricio Velazco, Splunk
status: production
type: Hunting
data_source: []
description: UPDATE_DESCRIPTION
search: ' `azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=5m _time
| eval uniqueIPUserCombo = src_ip . "-" . user
| stats dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(location.countryOrRegion) as uniqueCountries values(user) as users, values(src_ip) as ips, values(user_agent) as user_agents, values(location.countryOrRegion) as countries by _time
| where uniqueIpUserCombinations > 10 AND uniqueUsers > 10 AND uniqueIPs > 10
| `azure_ad_multi_source_failed_authentications_spike_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
known_false_positives: UPDATE_KNOWN_FALSE_POSITIVES
references:
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
tags:
analytic_story:
- Azure Active Directory Account Takeover
asset_type: Azure AD
atomic_guid: []
confidence: 60
impact: 70
message: UPDATE message
mitre_attack_id:
- T1586
- T1586.003
- T1110
- T1110.003
- T1110.004
observable:
- name: src_ip
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 42
required_fields:
- _time
- category
- properties.authenticationDetails{}.succeeded
- properties.location.countryOrRegion
- user_agent
- src_ip
- user
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
source: Azure AD
sourcetype: azure:monitor:aad

0 comments on commit 7776ce8

Please sign in to comment.