Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Silverfort - UserBruteForce Incident

Back
Id46ff357b-9e98-465b-9e45-cd52fa4a7522
RulenameSilverfort - UserBruteForce Incident
DescriptionA security weakness that allows attackers to gain unauthorized access to user accounts by systematically guessing the username and password combinations.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSilverfortAma
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/User_Brute_Force.yaml
Version1.0.0
Arm template46ff357b-9e98-465b-9e45-cd52fa4a7522.json
Deploy To Azure
CommonSecurityLog 
| where DeviceVendor has 'Silverfort'
| where DeviceProduct has 'Admin Console'
| where DeviceEventClassID == "NewIncident"
| where Message has "UserBruteForce"
| extend UserName = parse_json(replace('^""|""$', '', Message))['userName']
description: |
    'A security weakness that allows attackers to gain unauthorized access to user accounts by systematically guessing the username and password combinations.'
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserName
    identifier: Name
queryFrequency: 15m
requiredDataConnectors:
- connectorId: SilverfortAma
  dataTypes:
  - CommonSecurityLog
query: |-
  CommonSecurityLog 
  | where DeviceVendor has 'Silverfort'
  | where DeviceProduct has 'Admin Console'
  | where DeviceEventClassID == "NewIncident"
  | where Message has "UserBruteForce"
  | extend UserName = parse_json(replace('^""|""$', '', Message))['userName']  
triggerOperator: gt
severity: High
relevantTechniques:
- T1110
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/User_Brute_Force.yaml
queryPeriod: 15m
id: 46ff357b-9e98-465b-9e45-cd52fa4a7522
name: Silverfort - UserBruteForce Incident
kind: Scheduled
tactics:
- CredentialAccess
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/46ff357b-9e98-465b-9e45-cd52fa4a7522')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/46ff357b-9e98-465b-9e45-cd52fa4a7522')]",
      "properties": {
        "alertRuleTemplateName": "46ff357b-9e98-465b-9e45-cd52fa4a7522",
        "customDetails": null,
        "description": "'A security weakness that allows attackers to gain unauthorized access to user accounts by systematically guessing the username and password combinations.'\n",
        "displayName": "Silverfort - UserBruteForce Incident",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserName",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Silverfort/Analytic Rules/User_Brute_Force.yaml",
        "query": "CommonSecurityLog \n| where DeviceVendor has 'Silverfort'\n| where DeviceProduct has 'Admin Console'\n| where DeviceEventClassID == \"NewIncident\"\n| where Message has \"UserBruteForce\"\n| extend UserName = parse_json(replace('^\"\"|\"\"$', '', Message))['userName']",
        "queryFrequency": "PT15M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}