Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

PulseConnectSecure - Potential Brute Force Attempts

Back
Id34663177-8abf-4db1-b0a4-5683ab273f44
RulenamePulseConnectSecure - Potential Brute Force Attempts
DescriptionThis query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
SeverityLow
TacticsCredentialAccess
TechniquesT1110
Required data connectorsPulseConnectSecure
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version1.0.1
Arm template34663177-8abf-4db1-b0a4-5683ab273f44.json
Deploy To Azure
let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold
| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
id: 34663177-8abf-4db1-b0a4-5683ab273f44
name: PulseConnectSecure - Potential Brute Force Attempts
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold
  | extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP  
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
queryPeriod: 1h
triggerThreshold: 0
tactics:
- CredentialAccess
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1110
queryFrequency: 1h
status: Available
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: PulseConnectSecure
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/34663177-8abf-4db1-b0a4-5683ab273f44')]",
      "properties": {
        "alertRuleTemplateName": "34663177-8abf-4db1-b0a4-5683ab273f44",
        "customDetails": null,
        "description": "'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'\n",
        "displayName": "PulseConnectSecure - Potential Brute Force Attempts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml",
        "query": "let threshold = 20;\nPulseConnectSecure\n| where Messages contains \"Login failed\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP\n| where count_ > threshold\n| extend timestamp = StartTime, AccountCustomEntity = User, IPCustomEntity = Source_IP\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}