Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)

Hunt Hypothesis

This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a brute force or [c

KQL Query

let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])

Analytic Rule Definition

id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
description: |
    This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
    This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.
severity: Low
requiredDataConnectors:
  - connectorId: SquidProxy
    dataTypes:
      - SquidProxy_CL
  - connectorId: Zscaler
    dataTypes:
      - CommonSecurityLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
    - Persistence
    - CredentialAccess
relevantTechniques:
    - T1110
    - T1556
tags:
    - ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
      ParentVersion: 1.1.0
    - Schema: ASIMWebSession
      SchemaVersion: 0.2.1
query: |
    let error403_count_threshold=200;
    _Im_WebSession(eventresultdetails_in=dynamic(["403"]))
    | extend ParsedUrl=parse_url(Url)
    | extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
    | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
    | where NumberOfErrors > error403_count_threshold
    | sort by NumberOfErrors desc
    | extend Url=tostring(Urls[0])
entityMappings:
    - entityType: URL
      fieldMappings:
          - identifier: Url
            columnName: Url
    - entityType: IP
      fieldMappings:
          - identifier: Address
            columnName: SrcIpAddr
customDetails:
  NumberOfErrors: NumberOfErrors
alertDetailsOverride:
    alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
    alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
version: 1.0.6
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Yaron
    support:
        tier: Community
    categories:
        domains: [ "Security - Others" ]

MITRE ATT&CK Context

• Tactic: Persistence
• Tactic: CredentialAccess
• Tactic: Credential Access
• Tactic: Defense Evasion
• Technique: T1110 — Brute Force

  Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of th

• Technique: T1556 — Modify Authentication Process

  Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such

References

• Source Query