Understanding Sentinel Password Spray Data With Copilot For Microsoft 365
Query
//Understanding Sentinel password spray data with Copilot for Microsoft 365
//https://www.linkedin.com/pulse/understanding-sentinel-password-spray-data-copilot-microsoft-lim-i7o3c/
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == "50126"
// ResultType == "50053" - Account is locked because user tried to sign in too many times with an incorrect user ID or password.
// ResultType == "50053" - Sign-in was blocked because it came from an IP address with malicious activity
// ResultType == "50126" - Invalid username or password or Invalid on-premise username or password.
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Country = tostring(LocationDetails.countryOrRegion)
| project TimeGenerated, UserPrincipalName, ResultType, ResultDescription, Country, State, City, AppDisplayName, ClientAppUsed, UserAgent
// MITRE ATT&CK Mapping
// The KQL query is primarily focused on detecting failed sign-in attempts due to invalid credentials. This can be mapped to the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to maintain access to victim systems. Valid accounts may be used to bypass access controls placed on various resources.
// Detection: Monitoring for failed authentication attempts can help identify attempts to use stolen or guessed credentials.
// T1110 - Brute Force:
// Description: Adversaries may use brute force techniques to attempt to gain access to accounts by guessing passwords.
// Detection: Monitoring for multiple failed authentication attempts can help identify brute force attempts.
// T1071 - Application Layer Protocol:
// Description: Adversaries may use application layer protocols to communicate with systems under their control.
// Detection: Monitoring for unusual or unauthorized use of application layer protocols can help identify malicious activity.Explanation
This query is designed to analyze failed sign-in attempts in Microsoft Sentinel, focusing on instances where users have entered invalid credentials. It filters sign-in logs from the past day to identify attempts with a specific error code ("50126"), which indicates an invalid username or password. The query extracts and displays relevant information such as the time of the attempt, the user's name, the location details (city, state, country), the application used, and the user agent.
The query is also related to certain MITRE ATT&CK techniques:
-
T1078 - Valid Accounts: This technique involves adversaries using valid accounts to access systems. Monitoring failed sign-ins can help detect attempts to use stolen or guessed credentials.
-
T1110 - Brute Force: This technique involves adversaries trying multiple passwords to gain access. The query helps identify such attempts by tracking multiple failed sign-ins.
-
T1071 - Application Layer Protocol: This technique involves adversaries using application protocols for communication. The query can help detect unusual use of these protocols, indicating potential malicious activity.
