Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. PulseConnectSecure - Potential Brute Force Attempts

PulseConnectSecure - Potential Brute Force Attempts

Back
Id34663177-8abf-4db1-b0a4-5683ab273f44
RulenamePulseConnectSecure - Potential Brute Force Attempts
DescriptionThis query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsPulseConnectSecure
SyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version1.0.2
Arm template34663177-8abf-4db1-b0a4-5683ab273f44.json
Deploy To Azure
let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold
| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP

relevantTechniques:
- T1110
name: PulseConnectSecure - Potential Brute Force Attempts
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: PulseConnectSecure
- datatypes:
  - Syslog
  connectorId: SyslogAma
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: 34663177-8abf-4db1-b0a4-5683ab273f44
tactics:
- CredentialAccess
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: Low
status: Available
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold
  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "properties": {
        "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44",
        "customDetails": null,
        "description": "'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'\n",
        "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml",
        "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}