Skip to main content
Sumo Logic

Lab 5 - Azure Account compromise detection from a brute force attack

Parsing your logs allow you to provide structure to your messages, identifying the fields that are meaningful to you.

Brute force cyber attacks account for 5% of security breaches on governments, businesses, organizations, and private individuals. The actors are getting more an more clever in their techniques so you want to catch these attempts. You can detect this brute force attempt by monitoring Active Directory data for a high number of failed login attempts within a period of time. 

In this lab you will detect a brute force hacking technique used to find out the user credentials by applying both conditional statements and advanced filtering capabilities.
 

Create a brute force attack query

  1.  Click +New, Screen Shot 2020-04-30 at 1.36.34 PM.png and select Log Search. Paste the query below into the query builder. Change your time to Last 30 days and then click Start.

_sourceCategory="Labs/Azure/AD"
| json field=_raw "operationName" 
| where %operationName = "Sign-in activity"
| json field=_raw "resultType"
| json field=_raw "properties.userPrincipalName" as identity
| if(resultType = "0",1,0) as success_count
| if(resultType = "1",1,0) as failure_count
| timeslice 5m
| sum(success_count) as Success, sum(failure_count) as Failure by identity,_timeslice
| where Success > 0 AND Failure > 8
| sort by _timeslice desc
| top 1 identity,_timeslice,Success,Failure
| fields - _count

  1. Save this query as Potential Brute force Attacks and publish the table to the Dashboard that we created back in Lab 2. 

clipboard_e5df1b0f3fe7d99a228d8cc12d43b217a.png

  1. This will save the new panel into your dashboard that is in your personal folder Screen Shot 2020-04-29 at 7.53.05 PM.png and also open the dashboard. We will come back to this dashboard to add other queries.

    clipboard_e4a8868688473cfceb80a2b00d431128c.png