PulseConnectSecure - Potential Brute Force Attempts

Back


Id	34663177-8abf-4db1-b0a4-5683ab273f44
Rulename	PulseConnectSecure - Potential Brute Force Attempts
Description	This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
Severity	Low
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version	1.0.4
Arm template	34663177-8abf-4db1-b0a4-5683ab273f44.json

KQL

let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold

YAML

status: Available
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
kind: Scheduled
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
triggerOperator: gt
tactics:
- CredentialAccess
queryPeriod: 1h
triggerThreshold: 0
id: 34663177-8abf-4db1-b0a4-5683ab273f44
severity: Low
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
version: 1.0.4
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold  
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: User
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: Source_IP
  entityType: IP
name: PulseConnectSecure - Potential Brute Force Attempts
relevantTechniques:
- T1110

ARM