Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Claroty - Multiple failed logins by user

Back
Id4b5bb3fc-c690-4f54-9a74-016213d699b4
RulenameClaroty - Multiple failed logins by user
DescriptionDetects multiple failed logins by same user.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsClaroty
ClarotyAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
Version1.0.1
Arm template4b5bb3fc-c690-4f54-9a74-016213d699b4.json
Deploy To Azure
let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
| summarize count() by SrcUsername, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUsername
requiredDataConnectors:
- connectorId: Claroty
  dataTypes:
  - ClarotyEvent
- connectorId: ClarotyAma
  dataTypes:
  - ClarotyEvent
triggerOperator: gt
queryFrequency: 1h
name: Claroty - Multiple failed logins by user
status: Available
queryPeriod: 1h
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
description: |
    'Detects multiple failed logins by same user.'
severity: High
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
  | summarize count() by SrcUsername, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = SrcUsername  
version: 1.0.1
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
relevantTechniques:
- T1190
- T1133
tactics:
- InitialAccess
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Claroty - Multiple failed logins by user",
        "description": "'Detects multiple failed logins by same user.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190",
          "T1133"
        ],
        "alertRuleTemplateName": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml",
        "status": "Available"
      }
    }
  ]
}