PulseConnectSecure - Potential Brute Force Attempts

Back


Id	34663177-8abf-4db1-b0a4-5683ab273f44
Rulename	PulseConnectSecure - Potential Brute Force Attempts
Description	This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server
Severity	Low
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
Version	1.0.4
Arm template	34663177-8abf-4db1-b0a4-5683ab273f44.json

KQL

let threshold = 20;
PulseConnectSecure
| where Messages contains "Login failed"
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
| where count_ > threshold

YAML

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  let threshold = 20;
  PulseConnectSecure
  | where Messages contains "Login failed"
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by User, Source_IP
  | where count_ > threshold  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Pulse Connect Secure/Analytic Rules/PulseConnectSecureVPN-BruteForce.yaml
tactics:
- CredentialAccess
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: User
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: Source_IP
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
kind: Scheduled
relevantTechniques:
- T1110
description: |
    'This query identifies evidence of potential brute force attack by looking at multiple failed attempts to log into the VPN server'
name: PulseConnectSecure - Potential Brute Force Attempts
version: 1.0.4
id: 34663177-8abf-4db1-b0a4-5683ab273f44
severity: Low

ARM