← Back to SOC feed Coverage →

Potential Password Spray Attack (Uses Authentication Normalization)

kql MEDIUM Azure-Sentinel
T1110
imAuthentication
microsoftofficial
This detection content is auto-generated from open-source rule repositories and enriched with AI analysis. Always validate rules in a test environment before deploying to production Sentinel workspaces.
View original rule at Azure-Sentinel →
Retrieved: 2026-03-19T03:46:59Z · Confidence: medium

Hunt Hypothesis

‘This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack To use t

KQL Query

let FailureThreshold = 15;
imAuthentication
| where EventType== 'Logon' and  EventResult== 'Failure'
// reason: creds 
| where EventResultDetails in ('No such user or password', 'Incorrect password')
| summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
  , Users = make_set(TargetUserId,100) 
    by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
| where UserCount > FailureThreshold

Analytic Rule Definition

id: 6a2e2ff4-5568-475e-bef2-b95f12b9367b
name: Potential Password Spray Attack (Uses Authentication Normalization)
description: |
  'This query searches for failed attempts to log in from more than 15 various users within a 5 minute timeframe from the same source. This is a potential indication of a password spray attack
   To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess 
relevantTechniques:
  - T1110
tags:
  - Id: e27dd7e5-4367-4c40-a2b7-fcd7e7a8a508
    version: 1.0.0
  - Schema: ASIMAuthentication
    SchemaVersion: 0.1.0
query: |
  let FailureThreshold = 15;
  imAuthentication
  | where EventType== 'Logon' and  EventResult== 'Failure'
  // reason: creds 
  | where EventResultDetails in ('No such user or password', 'Incorrect password')
  | summarize UserCount=dcount(TargetUserId), Vendors=make_set(EventVendor), Products=make_set(EventVendor)
    , Users = make_set(TargetUserId,100) 
      by SrcDvcIpAddr, SrcGeoCountry, bin(TimeGenerated, 5m)
  | where UserCount > FailureThreshold

entityMappings:
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcDvcIpAddr
version: 1.1.3
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Ofer Shezaf
    support:
        tier: Community
    categories:
        domains: [ "Security - Others", "Identity" ]

Required Data Sources

Sentinel TableNotes
imAuthenticationEnsure this data connector is enabled

MITRE ATT&CK Context

References

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Detections/ASimAuthentication/imAuthPasswordSpray.yaml