From daca6e17c1bfac4c308c2f27c3e41aa9756b3aad Mon Sep 17 00:00:00 2001 From: Ofer Shezaf Date: Mon, 4 Apr 2022 13:32:59 +0300 Subject: [PATCH 1/2] Update ASIM brute force to set reporting sources as a custom field. --- .../ASimAuthentication/imAuthBruteForce.yaml | 42 +++++++++++-------- 1 file changed, 25 insertions(+), 17 deletions(-) diff --git a/Detections/ASimAuthentication/imAuthBruteForce.yaml b/Detections/ASimAuthentication/imAuthBruteForce.yaml index 548b7db4d6a..7163090ca92 100644 --- a/Detections/ASimAuthentication/imAuthBruteForce.yaml +++ b/Detections/ASimAuthentication/imAuthBruteForce.yaml @@ -1,15 +1,15 @@ id: a6c435a2-b1a0-466d-b730-9f8af69262e8 name: Brute force attack against user credentials (Uses Authentication Normalization) description: | - 'Identifies evidence of brute force activity against a user highlighting multiple authentication failures - and by a successful authentication within a given time window. - (The query does not enforce any sequence - eg requiring the successful authentication to occur last.) - Default Failure count is 10, Default Success count is 1 and default Time Window is 20 minutes. + 'Identifies evidence of brute force activity against a user based on multiple authentication failures + and at least one successful authentication within a given time window. Note that the query does not enforce any sequence, + and does not require the successful authentication to occur last. + The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)' severity: Medium requiredDataConnectors: [] -queryFrequency: 1h -queryPeriod: 1h +queryFrequency: 20m +queryPeriod: 20m triggerOperator: gt triggerThreshold: 0 tactics: @@ -24,23 +24,31 @@ tags: query: | let failureCountThreshold = 10; let successCountThreshold = 1; - let authenticationWindow = 20m; + // let authenticationWindow = 20m; // Implicit in the analytic rule query period imAuthentication - | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), IPAddress = make_set(SrcDvcIpAddr) - , FailureCount = countif(EventResult=='Failure') - , SuccessCount = countif(EventResult=='Success') - // might be improved by counting FailReason:Outdated as Success. - by bin(TimeGenerated, authenticationWindow), TargetUserId, TargetUsername, TargetUserType + | summarize + StartTime = min(TimeGenerated), + EndTime = max(TimeGenerated), + IpAddresses = make_set (SrcDvcIpAddr, 100), + ReportedBy = make_set (strcat (EventVendor, "/", EventProduct), 100), + FailureCount = countif(EventResult=='Failure'), + SuccessCount = countif(EventResult=='Success') + by + TargetUserId, TargetUsername, TargetUserType | where FailureCount >= failureCountThreshold and SuccessCount >= successCountThreshold + | extend + IpAddresses = strcat_array(IpAddresses, ", "), + ReportedBy = strcat_array(ReportedBy, ", ") entityMappings: - entityType: Account fieldMappings: - identifier: FullName columnName: TargetUsername - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcDvcIpAddr -version: 1.1.2 + +customDetails: + IpAddresses: IpAddresses + ReportedBy: ReportedBy + +version: 1.2 kind: Scheduled From 0c75650dff4aa65fafb5a67f3b1aa86f0cc88c9b Mon Sep 17 00:00:00 2001 From: Ofer Shezaf Date: Mon, 4 Apr 2022 13:49:49 +0300 Subject: [PATCH 2/2] Fix template version format --- Detections/ASimAuthentication/imAuthBruteForce.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Detections/ASimAuthentication/imAuthBruteForce.yaml b/Detections/ASimAuthentication/imAuthBruteForce.yaml index 7163090ca92..b44f8963d8d 100644 --- a/Detections/ASimAuthentication/imAuthBruteForce.yaml +++ b/Detections/ASimAuthentication/imAuthBruteForce.yaml @@ -50,5 +50,5 @@ customDetails: IpAddresses: IpAddresses ReportedBy: ReportedBy -version: 1.2 +version: 1.2.0 kind: Scheduled