PulseConnectSecure - Large Number of Distinct Failed User Logins

Back


Id	1fa1528e-f746-4794-8a41-14827f4cb798
Rulename	PulseConnectSecure - Large Number of Distinct Failed User Logins
Description	This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
Version	1.0.4
Arm template	1fa1528e-f746-4794-8a41-14827f4cb798.json

KQL

let threshold = 100;
PulseConnectSecure
| where Messages startswith "Login failed"
| summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
| where dcount_User > threshold

YAML

id: 1fa1528e-f746-4794-8a41-14827f4cb798
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-DistinctFailedUserLogin.yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  entityType: Host
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryFrequency: 1h
queryPeriod: 1h
status: Available
query: |
  let threshold = 100;
  PulseConnectSecure
  | where Messages startswith "Login failed"
  | summarize dcount(User) by Computer, bin(TimeGenerated, 15m)
  | where dcount_User > threshold  
name: PulseConnectSecure - Large Number of Distinct Failed User Logins
kind: Scheduled
tactics:
- CredentialAccess
severity: Medium
relevantTechniques:
- T1110
triggerThreshold: 0
version: 1.0.4
description: |
    'This query identifies evidence of failed login attempts from a large number of distinct users on a Pulse Connect Secure VPN server'

ARM