Hello, Can someone suggest a KQL logic for the following use cases: • Brute force attack against user credentials • Potential Password Spray Attack • User login from different countries within 3 hours • Sign-ins from IPs that attempt sign-ins to disabled accounts I have customer who has NetIQ IDM feeding to Sentinel in CEF - https://www.netiq.com/documentation/edirectory-92/edir_admin/data/t44e7j6b8ufi.html Thank you!

That would be hard to produce without access to your data. I recommend looking at the alert templates in Sentinel and the related GitHub repository. You should be able to find examples for most of these requests (or you may find one of the Azure security tools already meets the need). You should also consider if your Sentinel has the data needed for these scenarios. Brute force is easy enough. Password spray is a little more difficult. Both would likely be part of the Identity Protection solutions like MDI. You might see impossible travel in AAD Identity Protection and Defender for Cloud. That last scenario sounds very similar to Sentinel's multistage attack or Fusion rule.

KQL - suggest logic for NetIQ use cases

Accepted answer

Andrew Blumhardt 9,776 Reputation points Microsoft Employee

2022-06-29T12:15:44.357+00:00

That would be hard to produce without access to your data. I recommend looking at the alert templates in Sentinel and the related GitHub repository. You should be able to find examples for most of these requests (or you may find one of the Azure security tools already meets the need). You should also consider if your Sentinel has the data needed for these scenarios. Brute force is easy enough. Password spray is a little more difficult. Both would likely be part of the Identity Protection solutions like MDI. You might see impossible travel in AAD Identity Protection and Defender for Cloud. That last scenario sounds very similar to Sentinel's multistage attack or Fusion rule.
Please sign in to rate this answer.

1 person found this answer helpful.
Georgi Palazov 286 Reputation points

2022-06-29T12:38:40.317+00:00

let's start with the easiest then,sounds good to me - i.e regarding the use case - • Brute force attack against user credentials
I found the analytic rule - Brute force attack against Azure Portal to be similar to what we are looking for.
However the logic seems complex,i think. I was wondering if there's a way to simplify things for the following use case - • Brute force attack against user credentials

Andrew Blumhardt 9,776 Reputation points Microsoft Employee

2022-06-29T15:16:06.18+00:00

If you search for Brute Force in the Sentinel analytic rule templates you will see several examples. There is an Azure portal rule. No need to re-invent. I think you will find this is less about creating something new and more verification that your deployment has coverage.

MDFC also has some related built-in rules:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference

Georgi Palazov 286 Reputation points

2022-06-30T05:38:56.577+00:00

What do you mean by "no need to re-invent"? Still i need to filter out. They way I filter NetIQ logs and their IDM component is:

CommonSecurityLog
| where DeviceVendor contains "NetIQ"

How should i structure the logic for the analytic rule "Brute force attack against Azure Portal" so that it should be related to the one we need for NetIQ - Brute force attack against user credentials?

Thanks!

Andrew Blumhardt 9,776 Reputation points Microsoft Employee

2022-06-30T14:16:16.853+00:00

Ah, I misunderstood.

The templates do use a rather complex looking approach to queries. It does not need to be that complicated.

I do not have NetIQ logs for testing. This is not a working example but you probably want something like this. You will need some way to isolate failed logon attempts. Run this say once per hour and set a threshold based on your acceptable trends.

let Threshold = 20;
CommonSecurityLog
| where DeviceVendor contains "NetIQ"
| where Message contains "failed logon" //This is just a guess, you will need to define a working filter
| summarize count() by Computer
| where count_ > Threshold

You might also consider charting this over time to determine a good threshold using something like this:

CommonSecurityLog
| where TimeGenerated > ago(90d)
| where DeviceVendor contains "NetIQ"
| where Message contains "failed logon"
| summarize count() by bin(TimeGenerated, 1h), Computer
| render timechart

JamesTran-MSFT 36,541 Reputation points Microsoft Employee

2022-07-01T22:04:16.88+00:00

@Georgi Palazov
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Sign in to comment

Share via

KQL - suggest logic for NetIQ use cases

0 additional answers