KQL Search

Query Details

HomeAI ToolsDevice Query

Top 10 Most Sprayed UP Ns By I Ps And Countries Using Behaviour Analytics

Query

// Top 10 Most Sprayed UPNs by IPs and Countries using BehaviourAnalytics

// In the past week, my Entra tenant password spray attacks have spiked, originating from IPs marked as “Bruteforce”, “Botnet”, and “Watchlist” in BehaviourAnalytics. This observation can be easily seen from the Entra - Overview blade - Monitoring (Sign-ins) graph. Out of curiosity, I constructed the below KQL query to examine the top 10 most attacked UPNs, and the results for these top 10 UPN attacks are always consistent from approximately 96 unique IP addresses from around 66 countries. 💡 Now, associating these IPs with a new named location, create a CA to enforce grant access with conditions: Require Microsoft Entra hybrid joined device, Require multifactor authentication, and Require authentication strength (passwordless MFA) to mitigate the sign-in risk and ensure business as usual for Entra users’ login while lowering the risk.

BehaviorAnalytics
| where TimeGenerated > ago(7d)
| where ActivityType == "FailedLogOn" and EventSource == "Azure AD"
| where DevicesInsights has "ThreatIntelIndicatorType"
| extend ThreatType = tostring(DevicesInsights.ThreatIntelIndicatorType)
| where InvestigationPriority > 0
| where ThreatType has "Bruteforce" or ThreatType has "Botnet" or ThreatType has "Watchlist"
| summarize NumofIPAttack=dcount(SourceIPAddress), NumofCountryAttack=dcount(SourceIPLocation) by UserPrincipalName
| top 10 by NumofIPAttack desc

//The MITRE ATT&CK technique for password spray attacks is T1110.0031

Explanation

This KQL query is designed to identify the top 10 user principal names (UPNs) that have been most frequently targeted by password spray attacks over the past week. The query focuses on attacks originating from IP addresses flagged as "Bruteforce," "Botnet," or "Watchlist" in the BehaviorAnalytics data. Here's a breakdown of what the query does:

  1. Time Frame: It looks at data from the last 7 days.
  2. Activity Type: It filters for failed login attempts specifically from Azure Active Directory (Azure AD).
  3. Threat Type: It checks for login attempts associated with specific threat types: "Bruteforce," "Botnet," or "Watchlist."
  4. Investigation Priority: It only considers events with a positive investigation priority, indicating they are noteworthy.
  5. Summarization: It counts the distinct number of IP addresses and countries involved in attacks for each UPN.
  6. Top 10: It selects the top 10 UPNs based on the number of distinct IP addresses involved in the attacks.

The query results show consistent attack patterns from approximately 96 unique IP addresses across 66 countries. Based on these findings, the recommendation is to create a Conditional Access (CA) policy to enhance security. This policy should require:

  • Devices to be Microsoft Entra hybrid joined.
  • Multifactor authentication (MFA).
  • Passwordless MFA for authentication strength.

These measures aim to mitigate sign-in risks while maintaining normal login operations for users. The query also references the MITRE ATT&CK technique T1110.0031, which relates to password spray attacks.

Details

Steven Lim profile picture

Steven Lim

Released: October 6, 2024

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsDevicesAzureADUserPrincipalNameSourceIPAddressSourceIPLocation

Operators

BehaviorAnalyticswhereTimeGeneratedagoActivityTypeEventSourceDevicesInsightshasextendtostringInvestigationPrioritysummarizedcountbytopdesc

Actions