Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PulseConnectSecure - Potential Brute Force Attempts

Back
Id34663177-8abf-4db1-b0a4-5683ab273f44
RulenamePulseConnectSecure - Potential Brute Force Attempts
DescriptionThis query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version1.0.4
Arm template34663177-8abf-4db1-b0a4-5683ab273f44.json
Deploy To Azure
let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold
status: Available
id: 34663177-8abf-4db1-b0a4-5683ab273f44
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
name: PulseConnectSecure - Potential Brute Force Attempts
relevantTechniques:
- T1110
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: User
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Source_IP
triggerThreshold: 0
severity: Low
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.4
kind: Scheduled
tactics:
- CredentialAccess
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "properties": {
        "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44",
        "customDetails": null,
        "description": "'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'\n",
        "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Source_IP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml",
        "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}