Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PulseConnectSecure - Potential Brute Force Attempts

Back
Id34663177-8abf-4db1-b0a4-5683ab273f44
RulenamePulseConnectSecure - Potential Brute Force Attempts
DescriptionThis query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version1.0.4
Arm template34663177-8abf-4db1-b0a4-5683ab273f44.json
Deploy To Azure
let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold
entityMappings:
- fieldMappings:
  - columnName: User
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: Source_IP
    identifier: Address
  entityType: IP
triggerThreshold: 0
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
queryFrequency: 1h
status: Available
relevantTechniques:
- T1110
triggerOperator: gt
id: 34663177-8abf-4db1-b0a4-5683ab273f44
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
version: 1.0.4
name: PulseConnectSecure - Potential Brute Force Attempts
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold  
tactics:
- CredentialAccess
queryPeriod: 1h
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "properties": {
        "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44",
        "customDetails": null,
        "description": "'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'\n",
        "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Source_IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml",
        "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}