Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PulseConnectSecure - Potential Brute Force Attempts

Back
Id34663177-8abf-4db1-b0a4-5683ab273f44
RulenamePulseConnectSecure - Potential Brute Force Attempts
DescriptionThis query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsPulseConnectSecure
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version1.0.1
Arm template34663177-8abf-4db1-b0a4-5683ab273f44.json
Deploy To Azure
let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold
| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
severity: Low
triggerThreshold: 0
relevantTechniques:
- T1110
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold
  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP  
id: 34663177-8abf-4db1-b0a4-5683ab273f44
triggerOperator: gt
version: 1.0.1
requiredDataConnectors:
- connectorId: PulseConnectSecure
  dataTypes:
  - Syslog
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
queryPeriod: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
status: Available
name: PulseConnectSecure - Potential Brute Force Attempts
tactics:
- CredentialAccess
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
        "description": "'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}