Detection rules › Kusto Query Language
Potential Password Spray Attack (Uses Authentication Normalization)
'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use this analytics rule, make sure you have deployed the ASIM normalization parsers'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110 Brute Force |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 4625 | An account failed to log on. |
| Security-Auditing | 4634 | An account was logged off. |
Stages and Predicates
Stage 1: source
imAuthentication
Stage 2: where
and
EventResult eq "Failure"
EventType eq "Logon"
Stage 3: where
EventResultDetails in ["Incorrect password", "No such user or password"]
Stage 4: summarize
Stage 5: where
UserCount gt "FailureThreshold"
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventResult | eq |
|
EventResultDetails | in |
|
EventType | eq |
|
UserCount | gt |
|