Mimecast Audit - Logon Authentication Failed

Back


Id	9c5dcd76-9f6d-42a3-b984-314b52678f20
Rulename	Mimecast Audit - Logon Authentication Failed
Description	Detects threat when logon authentication failure found in audit
Severity	High
Tactics	Discovery InitialAccess CredentialAccess
Techniques	T1110
Required data connectors	MimecastAuditAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	3
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
Version	1.0.0
Arm template	9c5dcd76-9f6d-42a3-b984-314b52678f20.json

KQL

MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"

YAML

relevantTechniques:
- T1110
triggerOperator: gt
tactics:
- Discovery
- InitialAccess
- CredentialAccess
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1d
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
queryPeriod: 15m
apiVersion: 2021-09-01-preview
kind: Scheduled
id: 9c5dcd76-9f6d-42a3-b984-314b52678f20
enabled: true
version: 1.0.0
alertDetailsOverride: 
description: Detects threat when logon authentication failure found in audit
requiredDataConnectors:
- connectorId: MimecastAuditAPI
  dataTypes:
  - MimecastAudit_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
customDetails: 
alertRuleTemplateName: 
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerThreshold: 3
name: Mimecast Audit - Logon Authentication Failed
severity: High
displayName: Mimecast Audit - Logon Authentication Failed
queryFrequency: 5m
query: MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: src_s
  entityType: IP
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: user_s
  entityType: Mailbox
- fieldMappings:
  - identifier: AppId
    columnName: app_s
  entityType: CloudApplication
suppressionEnabled: false

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": null,
        "apiVersion": "2021-09-01-preview",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "src_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "user_s",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "app_s",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml",
        "query": "MimecastAudit_CL | where src_s !=\"\" and auditType_s == \"Logon Authentication Failed\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}