An adversary is attempting to brute force credentials by generating excessive HTTP authentication failures, leveraging T1110 and T1556 techniques to gain unauthorized access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise and prevent further lateral movement or data exfiltration.
KQL Query
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])
id: a1bddaf8-982b-4089-ba9e-6590dfcf80ea
name: Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)
description: |
This rule identifies a source that repeatedly fails to authenticate to a web service (HTTP response code 403). This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
This rule uses the [Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) and supports any web session source that complies with ASIM.
severity: Low
requiredDataConnectors:
- connectorId: SquidProxy
dataTypes:
- SquidProxy_CL
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- CredentialAccess
relevantTechniques:
- T1110
- T1556
tags:
- ParentAlert: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/CommonSecurityLog/Wazuh-Large%20Number%20of%20Web%20errors%20from%20an%20IP.yaml
ParentVersion: 1.1.0
- Schema: ASIMWebSession
SchemaVersion: 0.2.1
query: |
let error403_count_threshold=200;
_Im_WebSession(eventresultdetails_in=dynamic(["403"]))
| extend ParsedUrl=parse_url(Url)
| extend UrlHost=tostring(ParsedUrl["Host"]), UrlSchema=tostring(ParsedUrl["Schema"])
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = count(), Urls=makeset(Url) by UrlHost, SrcIpAddr
| where NumberOfErrors > error403_count_threshold
| sort by NumberOfErrors desc
| extend Url=tostring(Urls[0])
entityMappings:
- entityType: URL
fieldMappings:
- identifier: Url
columnName: Url
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
customDetails:
NumberOfErrors: NumberOfErrors
alertDetailsOverride:
alertDisplayNameFormat: Excessive number of HTTP authentication failures from {{SrcIpAddr}
alertDescriptionFormat: A client with address {{SrcIpAddr}} generated a large number of failed authentication HTTP requests. This may indicate a [brute force](https://en.wikipedia.org/wiki/Brute-force_attack) or [credential stuffing](https://en.wikipedia.org/wiki/Credential_stuffing) attack.
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yaron
support:
tier: Community
categories:
domains: [ "Security - Others" ]Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of th
Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such
Scenario: Scheduled Job Failing to Authenticate to an API
Description: A scheduled job (e.g., Jenkins, Ansible, or a custom script) attempts to authenticate to a web service using incorrect credentials during a maintenance window.
Filter/Exclusion: Exclude IP addresses associated with known CI/CD tools or scheduled jobs (e.g., src_ip = 192.168.1.100 or user = "jenkins") or use a custom field like job_name to filter out legitimate automation tasks.
Scenario: Admin Task with Incorrect Credentials
Description: An administrator attempts to access a web service using incorrect credentials while testing or troubleshooting, leading to multiple 403 responses.
Filter/Exclusion: Exclude IP addresses used by admin workstations (e.g., src_ip = 10.0.0.5) or filter by user agent strings associated with admin tools (e.g., user_agent = "Mozilla/5.0 (X11; Linux x86_64)").
Scenario: Web Session Schema Migration or Update
Description: During a system update or schema migration, a tool (e.g., Ansible, Terraform, or a custom migration script) attempts to authenticate to a web service using outdated credentials.
Filter/Exclusion: Exclude IP addresses used by migration tools (e.g., src_ip = 10.10.10.10) or filter by process name (e.g., process_name = "ansible-playbook").
Scenario: Load Testing with Invalid Credentials
Description: A load testing tool (e.g., JMeter, Gatling, or Locust) is configured with incorrect credentials to simulate user traffic, resulting in multiple 403 responses.
*Filter/Ex