detection.wiki

Detection rules › Kusto

SecurityEvent - Multiple authentication failures followed by a success

Status
available
Severity
low
Time window
10m
Group by
Account, Computer, IpAddress, Outcome, SessionStartedUtc
Source
github.com/Azure/Azure-Sentinel

Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment. The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1110 Brute Force

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4624An account was successfully logged on.
Security-AuditingEvent ID 4625An account failed to log on.

Rule body kusto

id: cf3ede88-a429-493b-9108-3e46d3c741f7
name: SecurityEvent - Multiple authentication failures followed by a success
description: |
  'Identifies accounts who have failed to logon to the domain multiple times in a row, followed by a successful authentication within a short time frame. Multiple failed attempts followed by a success can be an indication of a brute force attempt or possible mis-configuration of a service account within an environment.
  The lookback is set to 2h and the authentication window and threshold are set to 1h and 5, meaning we need to see a minimum of 5 failures followed by a success for an account within 1 hour to surface an alert.'
severity: Low
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
queryFrequency: 2h
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - CredentialAccess
relevantTechniques:
  - T1110
query: |
    let timeRange = 2h;
    let authenticationWindow = 1h;
    let authenticationThreshold = 5;
    SecurityEvent
    | where TimeGenerated > ago(timeRange)
    | where EventID in (4624, 4625)
    | where IpAddress != "-" and isnotempty(Account)
    | extend Outcome = iff(EventID == 4624, "Success", "Failure")
    // bin outcomes into 10 minute windows to reduce the volume of data
    | summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome
    | project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount
    // sort ready for sessionizing - by account and time of the authentication outcome
    | sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount
    | serialize
    // sessionize into failure groupings until either the account changes or there is a success
    | extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")
    // count the failures in each session
    | summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
    // the session must not start with a success, and must end with one
    | where array_index_of(list_Outcome, "Success") != 0
    | where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1
    | project-away SessionStartedUtc, list_Outcome
    // where the number of failures before the success is above the threshold
    | where FailureCountBeforeSuccess >= authenticationThreshold
    // expand out ip and computer for customer entity assignment
    | mv-expand set_IpAddress, set_Computer
    | extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)
    | extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: Account
      - identifier: Name
        columnName: Name
      - identifier: NTDomain
        columnName: NTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: DnsDomain
        columnName: DnsDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IpAddress
version: 1.0.7
kind: Scheduled

Stages and Predicates

Parameters

let timeRange = 2h;
let authenticationWindow = 1h;
let authenticationThreshold = 5;

Stage 1: source

SecurityEvent

Stage 2: where

| where TimeGenerated > ago(timeRange)

Stage 3: where

| where EventID in (4624, 4625)

Stage 4: where

| where IpAddress != "-" and isnotempty(Account)

Stage 5: extend

| extend Outcome = iff(EventID == 4624, "Success", "Failure")
Outcome =
ifEventID == 4624"Success"
else"Failure"

Stage 6: summarize

| summarize OutcomeCount=count() by bin(TimeGenerated, 10m), Account, IpAddress, Computer, Outcome

Stage 7: project

| project TimeGenerated, Account, IpAddress, Computer, Outcome, OutcomeCount

Stage 8: sort

| sort by TimeGenerated asc, Account, IpAddress, Computer, Outcome, OutcomeCount

Stage 9: kusto:serialize

| serialize

Stage 10: extend

| extend SessionStartedUtc = row_window_session(TimeGenerated, timeRange, authenticationWindow, Account != prev(Account) or prev(Outcome) == "Success")

Stage 11: summarize

| summarize FailureCountBeforeSuccess=sumif(OutcomeCount, Outcome == "Failure"), StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), make_list(Outcome, 128), make_set(Computer, 128), make_set(IpAddress, 128) by SessionStartedUtc, Account
Threshold
ge 5

Stage 12: where

| where array_index_of(list_Outcome, "Success") != 0

Stage 13: where

| where array_index_of(list_Outcome, "Success") == array_length(list_Outcome) - 1

Stage 14: project-away

| project-away SessionStartedUtc, list_Outcome

Stage 15: where

| where FailureCountBeforeSuccess >= authenticationThreshold

Stage 16: mv-expand

| mv-expand set_IpAddress, set_Computer

Stage 17: extend

| extend IpAddress = tostring(set_IpAddress), Computer = tostring(set_Computer)

Stage 18: extend

| extend timestamp=StartTime, NTDomain = split(Account, '\\', 0)[0], Name = split(Account, '\\', 1)[0], HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Accountis_not_null
  • (no value, null check)
EventIDin
  • 4624 transforms: cased corpus 25 (splunk 13, kusto 8, chronicle 4)
  • 4625 transforms: cased corpus 15 (splunk 11, chronicle 2, kusto 2)
FailureCountBeforeSuccessge
  • 5 transforms: cased
IpAddressne
  • - transforms: cased
list_Outcomein
  • Success

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
Accountsummarize
EndTimesummarize
FailureCountBeforeSuccesssummarize
StartTimesummarize
Computerextend
IpAddressextend
DnsDomainextend
HostNameextend
NTDomainextend
Nameextend
timestampextend