KQL Search

Query Details

HomeAI ToolsDevice Query

Detect API Spray Attack On Your Entra High Value Assets

Query

// Detect API Spray Attack on your Entra High Value Assets

// In recent months, a threat actor has been leveraging Amazon Data Services Nova (Ashburn, US) to perform API spray attacks on corporate Entra accounts. This activity can be identified in your sign-in logs by filtering for the user agent ‘AmazonAPIGateway_’. The following KQL query utilizes Sentinel UEBA behavior analytics to pinpoint which high-value Entra assets (BlastRadius = High) are involved in the API spray attack. You can then apply a conditional access rule to block this IP, enhancing protection for your high-value assets.

let APISpray =
SigninLogs
| where TimeGenerated > ago(90d)
| where ResultType == "50126" or ResultType == "50053"
| where UserAgent has "AmazonAPIGateway_"
| distinct IPAddress;
BehaviorAnalytics
| where SourceIPAddress has_any (APISpray)
| extend BlastRadius = UsersInsights.BlastRadius
| where BlastRadius == "High"

// #Sentinel #UEBA #BehaviourAnalytics #APISpray #BlastRadius #AWS #APIGateway

// MITRE ATT&ACK Mapping

// Tactic: Credential Access
// Technique: Valid Accounts (T1078)
// Sub-technique: Cloud Accounts (T1078.004)

// Tactic: Initial Access
// Technique: Exploit Public-Facing Application (T1190)
// Reason: The presence of “AmazonAPIGateway_” in the UserAgent string suggests interaction with a public-facing API, which could be exploited.

// Tactic: Discovery
// Technique: Account Discovery (T1087)
// Reason: The query is looking for behaviors associated with specific IP addresses, which could indicate reconnaissance activities.

// Tactic: Impact
// Technique: Data Destruction (T1485)
// Reason: High blast radius indicates a significant impact, potentially related to destructive actions.

Explanation

This query is designed to detect API spray attacks targeting high-value Entra accounts using Amazon Data Services Nova (Ashburn, US). Here's a simple summary:

  1. Identify Suspicious Activity: The query looks at sign-in logs from the past 90 days to find failed login attempts (ResultType "50126" or "50053") where the user agent string contains "AmazonAPIGateway_". These attempts are suspected to be part of an API spray attack.

  2. Extract IP Addresses: It extracts the distinct IP addresses involved in these suspicious activities.

  3. Analyze Behavior: It then checks these IP addresses against behavior analytics data to find which high-value assets (with a high blast radius) are being targeted.

  4. Enhance Protection: This information can be used to apply conditional access rules to block these IP addresses, thereby protecting the high-value assets.

MITRE ATT&CK Mapping:

  • Credential Access: Valid Accounts (T1078) - Cloud Accounts (T1078.004)
  • Initial Access: Exploit Public-Facing Application (T1190)
  • Discovery: Account Discovery (T1087)
  • Impact: Data Destruction (T1485)

The query helps in identifying and mitigating potential threats by focusing on high-impact assets and applying necessary security measures.

Details

Steven Lim profile picture

Steven Lim

Released: September 18, 2024

Tables

SigninLogsBehaviorAnalytics

Keywords

DevicesEntraSentinelUEBABehaviorAnalyticsAPISprayBlastRadiusAWSAPIGateway

Operators

let|where>ago==orhasdistinctextendhas_any

Actions