Detection: Azure AD High Number Of Failed Authentications For User

Updated Date: 2025-02-10 ID: 630b1694-210a-48ee-a450-6f79e7679f2c Author: Mauricio Velazco, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.

Search

 1`azure_monitor_aad` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
 2| rename properties.* as * 
 3| bucket span=10m _time 
 4| rename properties.userAgent as user_agent 
 5| fillnull 
 6| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product 
 7| where count > 20 
 8| `security_content_ctime(firstTime)` 
 9| `security_content_ctime(lastTime)` 
10| `azure_ad_high_number_of_failed_authentications_for_user_filter`

Data Source

Name	Platform	Sourcetype	Source
Azure Active Directory	Azure	`'azure:monitor:aad'`	`'Azure AD'`

Macros Used

Name	Value
azure_monitor_aad	`sourcetype=azure:monitor:aad`
azure_ad_high_number_of_failed_authentications_for_user_filter	`search *`

azure_ad_high_number_of_failed_authentications_for_user_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1110.001	Password Guessing	Credential Access

Exploitation

DE.CM

CIS 10

APT29

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Notable	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Risk Event	True

This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.

Known False Positives

A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

User $user$ failed to authenticate more than 20 times in the span of 5 minutes.

Risk Object	Risk Object Type	Risk Score	Threat Objects
user	user	35	No Threat Objects

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`Azure AD`	`azure:monitor:aad`
Integration	✅ Passing	Dataset	`Azure AD`	`azure:monitor:aad`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 8