A password spray attack is detected through multiple failed login attempts from different users originating from the same source within a short timeframe, indicating an adversary is systematically testing common passwords. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate credential compromise risks before lateral movement or data exfiltration occurs.
KQL Query
let FailureThreshold = 15;
imAuthentication
| where EventType== 'Logon' and EventResult== 'Failure'
// reason: creds
| where EventResultDetails in ('No such user or password', 'Incorrect password')
| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
, Users = make_set(TargetUserId,100)
by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
| where UserCount > FailureThreshold
id: 6a2e2ff4-5568-475e-bef2-b95f12b9367b
name: Potential Password Spray Attack (Uses Authentication Normalization)
description: |
'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
relevantTechniques:
- T1110
tags:
- Id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
version: 1.0.0
- Schema: ASIMAuthentication
SchemaVersion: 0.1.0
query: |
let FailureThreshold = 15;
imAuthentication
| where EventType== 'Logon' and EventResult== 'Failure'
// reason: creds
| where EventResultDetails in ('No such user or password', 'Incorrect password')
| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
, Users = make_set(TargetUserId,100)
by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
| where UserCount > FailureThreshold
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcDvcIpAddr
version: 1.1.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Ofer Shezaf
support:
tier: Community
categories:
domains: [ "Security - Others", "Identity" ]| Sentinel Table | Notes |
|---|---|
imAuthentication | Ensure this data connector is enabled |
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.(Citation: TrendMicro Pawn Storm Dec 2020) Without knowledge of th
Scenario: Scheduled Job Credential Rotation
Description: A system administrator uses a script or tool like ansible or puppet to rotate credentials for multiple services, resulting in multiple failed login attempts as the script tests old credentials before applying new ones.
Filter/Exclusion: Exclude IP addresses associated with internal management tools or known administrative tasks (e.g., 10.0.0.0/8), or add a filter for user_agent matching administrative tools.
Scenario: Automated System Health Check
Description: A monitoring tool like Nagios or Zabbix performs periodic health checks on multiple services, which may result in failed authentication attempts as it tests credentials for service accounts.
Filter/Exclusion: Exclude IP addresses used by monitoring tools or add a filter for service_name or job_id associated with the health check process.
Scenario: User Password Change via Admin Console
Description: An admin uses a tool like Microsoft Azure AD Password Change or Active Directory Users and Computers to change passwords for multiple users, which may temporarily result in failed login attempts as the old passwords expire.
Filter/Exclusion: Exclude users with admin privileges or add a filter for user_role or change_request_id associated with password change operations.
Scenario: Multi-Factor Authentication (MFA) Setup
Description: A user sets up MFA using a tool like Microsoft Authenticator or Google Authenticator, which may result in multiple failed login attempts as the user enters their password and MFA code.
Filter/Exclusion: Exclude users who have recently initiated MFA setup or add a filter for mfa_enrollment_status or device_type associated with MFA enrollment.
Scenario: Bulk User Provisioning via API
Description: A