Multiple Accounts Locked
Query
let Threshold = 3;
let TimeFrame = 15m;
SigninLogs
| where ResultType == 50053
| summarize TotalAccounts = dcount(UserPrincipalName), Accounts = make_set(UserPrincipalName), UserAgentDetails = make_set(UserAgent) by bin(TimeGenerated, TimeFrame), IPAddress
| where TotalAccounts >= Threshold
| extend GeoIPInfo = geo_info_from_ip_address(IPAddress)
| extend country = tostring(parse_json(GeoIPInfo).country), state = tostring(parse_json(GeoIPInfo).state), city = tostring(parse_json(GeoIPInfo).city)About this query
Multiple Accounts Locked
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1110 | Brute Force | https://attack.mitre.org/techniques/T1110/ |
Description
Detect when multiple accounts are locked in your Azure tenant in a short timeframe, this can indicate brute force or password spray attacks. This detection is based on error code 50053 wich results from two different reasons:
- IdsLocked - The account is locked because the user tried to sign in too many times with an incorrect user ID or password. The user is blocked due to repeated sign-in attempts
- Sign-in was blocked because it came from an IP address with malicious activity
Risk
Explain what risk this detection tries to cover
References
Sentinel
Explanation
This KQL query is designed to detect potential brute force or password spray attacks on an Azure tenant by identifying when multiple user accounts are locked within a short timeframe. Here's a simplified breakdown of the query:
-
Threshold and TimeFrame:
- The query sets a threshold of 3 accounts and a timeframe of 15 minutes. This means it looks for instances where at least 3 different accounts are locked within a 15-minute period.
-
Source of Data:
- The query analyzes data from the
SigninLogs, which contains records of sign-in attempts.
- The query analyzes data from the
-
Filtering Criteria:
- It specifically looks for sign-in attempts that resulted in the error code
50053. This error code indicates that an account is locked due to too many incorrect sign-in attempts or because the sign-in attempt came from a suspicious IP address.
- It specifically looks for sign-in attempts that resulted in the error code
-
Aggregation:
- The query groups the data by the time the event was generated (in 15-minute bins) and by the IP address from which the sign-in attempts were made.
- It counts the distinct number of user accounts (
TotalAccounts) that were locked and creates a list of these accounts (Accounts) and the user agents used (UserAgentDetails).
-
Filtering on Threshold:
- It only considers cases where the number of locked accounts (
TotalAccounts) is greater than or equal to the threshold of 3.
- It only considers cases where the number of locked accounts (
-
Geolocation Information:
- For each suspicious IP address, the query retrieves geolocation information, including the country, state, and city, to provide context about where the potentially malicious activity originated.
Risk Explanation: The risk this detection aims to cover is the possibility of unauthorized access attempts through brute force or password spray attacks. These attacks can lead to account compromise if successful, potentially resulting in data breaches or unauthorized actions within the Azure environment.
References:
The query references Microsoft's documentation on error codes to provide additional context on the error code 50053 used in the detection.
