Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Multiple failed logins to same destinations

Claroty - Multiple failed logins to same destinations

Back
Id1c2310ef-19bf-4caf-b2b0-a4c983932fa5
RulenameClaroty - Multiple failed logins to same destinations
DescriptionDetects multiple failed login attempts to the same Claroty SRA destination site within a 5-minute window. The rule counts failed logins per site and alerts when the number of failures exceeds the threshold value of 10.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
Version1.0.4
Arm template1c2310ef-19bf-4caf-b2b0-a4c983932fa5.json
Deploy To Azure
let threshold = 10;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend Site = column_ifexists("site_name","")
  | where isnotempty(Site)
  | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
  | summarize FailedLogins = count(), SampleUser = any(SrcUsername) by Site, bin(TimeGenerated, 5m)
  | where FailedLogins > threshold
  | extend SGCustomEntity = Site
  | project TimeGenerated, Site, FailedLogins, Threshold = threshold, SampleUser, SGCustomEntity

status: Available
relevantTechniques:
- T1190
- T1133
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
queryPeriod: 1h
query: |
  let threshold = 10;
    ClarotyEvent
    | where EventType has 'Login to SRA'
    | where EventType !has 'succeeded'
    | extend Site = column_ifexists("site_name","")
    | where isnotempty(Site)
    | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
    | summarize FailedLogins = count(), SampleUser = any(SrcUsername) by Site, bin(TimeGenerated, 5m)
    | where FailedLogins > threshold
    | extend SGCustomEntity = Site
    | project TimeGenerated, Site, FailedLogins, Threshold = threshold, SampleUser, SGCustomEntity  
id: 1c2310ef-19bf-4caf-b2b0-a4c983932fa5
entityMappings:
- fieldMappings:
  - columnName: SGCustomEntity
    identifier: DistinguishedName
  entityType: SecurityGroup
name: Claroty - Multiple failed logins to same destinations
kind: Scheduled
description: Detects multiple failed login attempts to the same Claroty SRA destination site within a 5-minute window. The rule counts failed logins per site and alerts when the number of failures exceeds the threshold value of 10.
tactics:
- InitialAccess
version: 1.0.4
triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog