PulseConnectSecure - Large Number of Distinct Failed User Logins

Back


Id	1fa1528e-f746-4794-8a41-14827f4cb798
Rulename	PulseConnectSecure - Large Number of Distinct Failed User Logins
Description	This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
Version	1.0.4
Arm template	1fa1528e-f746-4794-8a41-14827f4cb798.json

KQL

let threshold = 100;
PulseConnectSecure
| where Messages startswith "Login failed"
| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
| where dcount_User > threshold

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
query: |
  let threshold = 100;
  PulseConnectSecure
  | where Messages startswith "Login failed"
  | summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
  | where dcount_User > threshold  
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
tactics:
- CredentialAccess
triggerThreshold: 0
description: |
    'This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server'
queryPeriod: 1h
version: 1.0.4
queryFrequency: 1h
severity: Medium
name: PulseConnectSecure - Large Number of Distinct Failed User Logins
id: 1fa1528e-f746-4794-8a41-14827f4cb798
status: Available
relevantTechniques:
- T1110

ARM