Detection rules › Kusto Query Language
Password Spraying
This query detects a password spraying attack, where a single machine has performed a large number of failed login attempts, with a large number of different accounts. For each account, the attacker uses just a few attempts to prevent account lockout. This query uses the DeviceLogonEvents per machine to detect a password spraying attacks. The machine against which the password spraying is performed (can be DC, a server or even an endpoint) needs to be enrolled in Microsoft Defender for Endpoint.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110.003 Brute Force: Password Spraying |
Event coverage
Stages and Predicates
Stage 1: source
DeviceLogonEvents
Stage 2: where
macro "(Timestamp >= ago(timeframe))"
Stage 3: where
and
ActionType in ["LogonFailed", "LogonSuccess"]
LogonType ne "Unlock"
Stage 4: where
not
and
RemoteDeviceName is_null
RemoteIP is_null
Stage 5: extend
Stage 6: where
RemoteIPType ne "Loopback"
Stage 7: summarize
Stage 8: project-rename
Stage 9: where
and
UniqueAccountFailedLogons gt "thresholdForUniqueFailedAccounts"
macro "((SuccessLogonCount * ratioSuccessFailedLogons) < FailedLogonCount)"
macro "((UniqueAccountFailedLogons * upperBoundOfFailedLogonsPerAccount) > FailedLogonCount)"
Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | RemoteDeviceName | is_null | |
| 2 | RemoteIP | is_null |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | in |
|
LogonType | ne |
|
RemoteIPType | ne |
|
UniqueAccountFailedLogons | gt |
|