Skip to content

Commit

Permalink
Update and rename SucessfullPosswordSprayAttampOnAWSConsolelogin.yaml…
Browse files Browse the repository at this point in the history 
… to SuccessfulAWSConsoleLoginfromIPAddressObservedConductingPasswordSpray.yaml

-Name and Title Changed
-Timing logic changed
  • Loading branch information
@4R9UN
4R9UN authored Aug 31, 2023
1 parent 4db19e8 commit 00e813d
Showing 1 changed file with 2 additions and 4 deletions.
6 changes: 2 additions & 4 deletions ...PosswordSprayAttampOnAWSConsolelogin.yaml → ...dressObservedConductingPasswordSpray.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
id: 188db479-d50a-4a9c-a041-644bae347d1f
name: Successful Password Spray Attempt on AWS Console login
name: Successful AWS Console Login from IP Address Observed Conducting Password Spray
description: |
'This query aims to detect instances of successful AWS console login events followed by multiple failed app logons alerts generated by Microsoft Cloud App Security or password spray alerts generated by Defender Products.
Specifically, it focuses on scenarios where the successful login takes place within a 60-minute timeframe of the high-severity alert.
Expand Down Expand Up @@ -33,7 +33,6 @@ relevantTechniques:
- T1078
query: |
SecurityAlert
| where TimeGenerated >= ago(1d)
// Filtering alerts based on Microsoft product names and Relevent alert names
| where ProductName in ( "Microsoft Cloud App Security","Azure Active Directory Identity Protection")
|where AlertName in ("Multiple failed user log on attempts to an app","Password Spray")
Expand Down Expand Up @@ -77,7 +76,6 @@ query: |
// Joining with AWSCloudTrail data to correlate AWS console logins
| join kind=inner (
AWSCloudTrail
| where TimeGenerated >= ago(1d)
| where EventName == "ConsoleLogin"
| extend CTUPN= tolower(tostring(tolower(split(UserIdentityArn, "/", 2)[0])))
| extend ActionType= tostring(parse_json(ResponseElements).ConsoleLogin)
Expand All @@ -101,7 +99,7 @@ query: |
)
on $left.EntityIp == $right.SourceIpAddress
// Filtering login event after the Alert generation time
| where AlertTimeGenerated >= AWSTime
| where AlertTimeGenerated between ((AWSTime - 1h)..(AWSTime + 1h))
// Calculating the time difference between alert generation and AWS login
| extend timediff = datetime_diff('minute', AlertTimeGenerated, TimeGenerated)
// Filtering alerts with a time difference of up to 60 minutes
Expand Down

0 comments on commit 00e813d

Please sign in to comment.