-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathPasswordSpray.json
42 lines (42 loc) · 2.23 KB
/
PasswordSpray.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
},
"analytic-id": {
"type": "string",
"defaultValue": "227bc6a9-c410-4862-ac5a-dd3e2ff14a6f",
"minLength": 1,
"metadata": {
"description": "Unique id for the scheduled alert rule"
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('analytic-id'))]",
"apiVersion": "2020-01-01",
"kind": "Scheduled",
"location": "[resourceGroup().location]",
"properties": {
"description": "This query searches for failed attempts to log into the Okta console from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack",
"displayName": "Potential Password Spray Attack",
"enabled": false,
"query": "\nlet FailureThreshold = 15;\nlet FailedEvents = Okta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize dcount(actor_alternateId_s) by client_ipAddress_s, bin(TimeGenerated, 5m)\n| where dcount_actor_alternateId_s > FailureThreshold\n| project client_ipAddress_s, TimeGenerated;\nOkta_CL\n| where eventType_s =~ \"user.session.start\"and outcome_reason_s in (\"VERIFICATION_ERROR\",\"INVALID_CREDENTIALS\")\n| summarize Users = make_set(actor_alternateId_s) by client_ipAddress_s, City = client_geographicalContext_city_s, Country = client_geographicalContext_country_s, bin(TimeGenerated, 5m)\n| join kind=inner (FailedEvents) on client_ipAddress_s, TimeGenerated\n| sort by TimeGenerated desc\n| extend timestamp = TimeGenerated, IPCustomEntity = client_ipAddress_s\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"tactics": [
"CredentialAccess"
]
}
}
]
}