diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index 1872920cc5..2f02e9b541 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -1,7 +1,7 @@ name: Azure AD Multi-Source Failed Authentications Spike id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7 -version: 9 -date: '2025-05-02' +version: 10 +date: '2025-09-17' author: Mauricio Velazco, Splunk status: production type: Hunting @@ -16,14 +16,14 @@ description: The following analytic detects potential distributed password spray login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure. -search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false +search: '`azure_monitor_aad` category=*SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | eval uniqueIPUserCombo = src_ip . "-" . user | rename userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(location.countryOrRegion) as countries values(action) as action values(dest) as dest values(user) as user values(src) as src values(vendor_account) as vendor_account values(vendor_product) as vendor_product values(user_agent) as user_agent - | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 + | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_multi_source_failed_authentications_spike_filter`'