What Changed

The KQL query in the BruteForceAgainstanEntraAuthenticatedWindowsDevice Analytic Rule (v2.0.2 to v2.0.3) now includes an explicit sort by UserPrincipalName asc, TimeGenerated asc followed by serialize immediately before the summarize make_list(…) step that builds the time-series arrays fed into series_decompose_anomalies.

Detection Logic

  • Primary data source: SigninLogs (Entra ID sign-in events)
  • Core logic: Aggregates authentication failures vs. successes per user per time window, builds a FailureSuccessDiff time-series per user, and applies series_decompose_anomalies to surface statistically unusual failure spikes consistent with brute-force credential attacks (T1110.001 / T1110.003).
  • Entity mappings: Account (UserPrincipalName, DisplayName), IP (IPAddressFirst)

Security Impact

Without deterministic row ordering before make_list, the Diff and TimeStamp arrays passed to series_decompose_anomalies could be misaligned – time values and delta values belonging to different time buckets could be paired, producing incorrect anomaly scores. This means the rule could have been under-firing on genuine brute-force activity or over-firing on benign sequences depending on Kusto execution order.

The fix adds sort by UserPrincipalName asc, TimeGenerated asc and serialize to guarantee row order is preserved through the summarize step, ensuring the time-series passed to series_decompose_anomalies is chronologically consistent.

Note: A reviewer comment flags that sort by alone may not reliably enforce element order inside make_list due to Kusto parallel execution. The addition of serialize addresses this – serialize prevents the optimizer from reordering rows, making make_list order deterministic. Teams relying on this rule should re-baseline expected alert volumes after the fix is deployed.

MITRE Mapping

TechniqueDescription
T1110Brute Force
T1110.001Password Guessing
T1110.003Password Spraying

Affected Files

Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml
(packaging artefacts: 3.3.14.zip, ReleaseNotes.md, Solution_AAD.json, mainTemplate.json)