The purpose of this blog is to explain the difference between ‘brute force,’ and ‘password spray’ attacks with real-world data and visualization via the Azure Sentinel Logs (e.g., Hunting) and Workbooks feature.

Brute force attack

Blog Derk Sentinel attack 1

A brute password attack is using multiple passwords (automated via a password file, for example) to attack one user account. This attack is easily detected by security systems, and the account is locked out, for example (Azure AD Smart Lockout is a feature to protect the user against this type of attack).

Password spray attack

Blog Derk Sentinel attack 2

A password spray attack is using one (often used) password to attack multiple users. This attack method is not easily detected by security systems.

Azure Sentinel

Azure Sentinel can be used to detect and visualize both types of attacks. The required Data Connector is Azure Active Directory (which requires at least on Azure AD Premium P1 licenseSigninLogs.

Blog Derk Sentinel attack 3

Logs

The Logs section provides easy access to the KQL to query the data in the log analytics workspace (which can be later used in Incident- or Hunting rules). The Table which we will use is SigninLogs, and the column for the alerts is ResultType. 

Table Column Value Description
SigninLogs ResultType 50126 Invalid username or password
SigninLogs ResultType 50053 Account is locked | Sign-in was blocked

Brute Force Attack

The query to use must only show the ResultType(s) from > one IP-address & > one Country. The result is the query below (set the time range to 7 or 30 days, for example).

Blog Derk Sentinel attack 4

The output of the query is shown below (names are anonymized).

Blog Derk Sentinel attack 5

As you can see, user ‘anonymous’ is attacked by different IP-addresses (258) from different countries. Unless user ‘anonymous’ is making a ‘world trip,’ this can be an example of brute password attack, different IP-addresses and countries are used to hide detection.

Password Spray attack

The query to use must only show the ResultType(s) from > 1 User(s). The result is the query below (set the time range to 7 or 30 days, for example).

Blog Derk Sentinel attack 6

The output of the query is shown below (names are anonymized).

Blog Derk Sentinel attack 7

The output shows an IP-address (219.93.121.22, which is Malaysia, see https://www.abuseipdb.com/check/219.93.121.22) attacking multiple users within the organization. This can be an example of a password spray attack.

Workbooks

Workbooks can be used to provide an overview of the attacks visible on a world map (for example, Asia might be more malicious then Europe for a Dutch organization). We can use the information (query and map settings) below to get a visual world map of the password attack(s) on the Office 365 (Azure AD) Tenant.

Blog Derk Sentinel attack 8

 The result is the world map below with attack origin by Country.

Blog Derk Sentinel attack 9

Conclusion

If you got any questions about Azure Sentinel or Microsoft Security in general (Microsoft 365 E5, for example), please contact me or the InSpark Security department.

SHARE
Derk van der Woude
Share

Gerelateerde blogs

Derk van der Woude

Principal Consultant Security & Compliance

Need help?
I can help you with all your questions about these attacks and Azure Sentinel.
Altijd up to date?
Blijf op de hoogte van de laatste innovaties. Geef aan welke mailings jij maandelijks wil ontvangen. Schrijf je nu in!