← Back to Explore
crowdstrike_cqlTTP
Credentials Validation Burst (Microsoft Defender for Identity)
Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated. Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated.
Detection Query
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| Vendor.properties.LogonType = "Credentials validation"
| groupBy([user.name, source.address], function=[count(as=validation_count),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| validation_count > 50 //Adjust the value as per your enviorment
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 10 //Adjust the value as per your enviorment
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([validation_count], order=desc)
Author
Kundan Kumar
Data Sources
Identity
Tags
Detectioncs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Credentials Validation Burst (Microsoft Defender for Identity)
# MITRE ATT&CK technique IDs
mitre_ids:
- T1110
# Description of what the query does and its purpose.
description: |
Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated.
# The author or team that created the query.
author: Kundan Kumar
# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
- Identity
# The CrowdStrike modules required to run this query.
cs_required_modules:
- Identity
# Tags for filtering and categorization.
tags:
- Detection
# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| Vendor.properties.LogonType = "Credentials validation"
| groupBy([user.name, source.address], function=[count(as=validation_count),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| validation_count > 50 //Adjust the value as per your enviorment
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 10 //Adjust the value as per your enviorment
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([validation_count], order=desc)
# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
Detects a high volume of authentication or credential validation attempts against Active Directory accounts within a short timeframe. This behavior is commonly associated with automated credential‑testing activity such as password spraying or brute‑force attempts and should be investigated.