What Changed
New hunting query IPIdentityFailureBurstFollowedBySuccess.yaml added to Hunting Queries/MultipleDataSources/ targeting password spraying and credential misuse patterns.
Detection Logic
The query correlates both interactive (SigninLogs) and non-interactive (AADNonInteractiveUserSignInLogs) sign-ins by source IP address within a 15-minute correlation window. It triggers when:
- Minimum 5 distinct failed users from the same IP
- Minimum 20 failed attempts from the same IP
- Followed by successful authentication (max 3 successful users)
- Success codes include: 0, 50125, 50140, 70043, 70044
Key output includes failure-to-success exposure ratio and comprehensive user/app/source table sets for investigation context. Entity mappings target Account (FirstSuccessfulUser) and IP address.
MITRE Mapping
- T1110.003 — Password Spraying
- T1078 — Valid Accounts
Security Impact
This hypothesis-driven hunting query helps SOC analysts prioritize high-friction identity events indicating potential password spraying or opportunistic credential misuse. The explicit thresholds and bounded correlation windows reduce alert fatigue by focusing on meaningful patterns with entity relationships rather than isolated events. Analysts must validate results as benign matches are expected in shared egress environments (NAT, VPN/proxy, enterprise gateways) and legitimate automation/service activity.
Affected Files
Hunting Queries/MultipleDataSources/IPIdentityFailureBurstFollowedBySuccess.yaml