Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Claroty - Multiple failed logins to same destinations

Back
Id1c2310ef-19bf-4caf-b2b0-a4c983932fa5
RulenameClaroty - Multiple failed logins to same destinations
DescriptionDetects multiple failed logins to same destinations.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
Claroty
ClarotyAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
Version1.0.2
Arm template1c2310ef-19bf-4caf-b2b0-a4c983932fa5.json
Deploy To Azure
let threshold = 10;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend Site = column_ifexists("site_name","")
| where isnotempty(Site)
| extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
| summarize count() by Site, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend SGCustomEntity = Site
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
id: 1c2310ef-19bf-4caf-b2b0-a4c983932fa5
name: Claroty - Multiple failed logins to same destinations
query: |
  let threshold = 10;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend Site = column_ifexists("site_name","")
  | where isnotempty(Site)
  | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
  | summarize count() by Site, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend SGCustomEntity = Site  
entityMappings:
- fieldMappings:
  - columnName: SGCustomEntity
    identifier: DistinguishedName
  entityType: SecurityGroup
queryPeriod: 1h
triggerThreshold: 0
tactics:
- InitialAccess
version: 1.0.2
kind: Scheduled
relevantTechniques:
- T1190
- T1133
queryFrequency: 1h
status: Available
requiredDataConnectors:
- dataTypes:
  - ClarotyEvent
  connectorId: Claroty
- dataTypes:
  - ClarotyEvent
  connectorId: ClarotyAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
description: |
    'Detects multiple failed logins to same destinations.'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/1c2310ef-19bf-4caf-b2b0-a4c983932fa5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/1c2310ef-19bf-4caf-b2b0-a4c983932fa5')]",
      "properties": {
        "alertRuleTemplateName": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
        "customDetails": null,
        "description": "'Detects multiple failed logins to same destinations.'\n",
        "displayName": "Claroty - Multiple failed logins to same destinations",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "SecurityGroup",
            "fieldMappings": [
              {
                "columnName": "SGCustomEntity",
                "identifier": "DistinguishedName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml",
        "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}