Silverfort - UserBruteForce Incident

Back


Id	46ff357b-9e98-465b-9e45-cd52fa4a7522
Rulename	Silverfort - UserBruteForce Incident
Description	A security weakness that allows attackers to gain unauthorized access to user accounts by systematically guessing the username and password combinations.
Severity	High
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SilverfortAma
Kind	Scheduled
Query frequency	15m
Query period	15m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/User_Brute_Force.yaml
Version	1.0.0
Arm template	46ff357b-9e98-465b-9e45-cd52fa4a7522.json

KQL

CommonSecurityLog 
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "UserBruteForce"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']

YAML

triggerOperator: gt
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1110
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: UserName
query: |-
  CommonSecurityLog 
  | where DeviceVendor has 'Silverfort'
  | where DeviceProduct has 'Admin Console'
  | where DeviceEventClassID == "NewIncident"
  | where Message has "UserBruteForce"
  | extend UserName = parse_json(replace('^""|""$', '', Message))['userName']  
requiredDataConnectors:
- connectorId: SilverfortAma
  dataTypes:
  - CommonSecurityLog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/User_Brute_Force.yaml
queryPeriod: 15m
name: Silverfort - UserBruteForce Incident
kind: Scheduled
description: |
    'A security weakness that allows attackers to gain unauthorized access to user accounts by systematically guessing the username and password combinations.'
id: 46ff357b-9e98-465b-9e45-cd52fa4a7522
version: 1.0.0
tactics:
- CredentialAccess
severity: High

ARM