Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Claroty - Multiple failed logins by user

Back
Id4b5bb3fc-c690-4f54-9a74-016213d699b4
RulenameClaroty - Multiple failed logins by user
DescriptionDetects multiple failed logins by same user.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsCefAma
Claroty
ClarotyAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
Version1.0.2
Arm template4b5bb3fc-c690-4f54-9a74-016213d699b4.json
Deploy To Azure
let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
| summarize count() by SrcUsername, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUsername
status: Available
queryFrequency: 1h
description: |
    'Detects multiple failed logins by same user.'
severity: High
version: 1.0.2
relevantTechniques:
- T1190
- T1133
name: Claroty - Multiple failed logins by user
triggerThreshold: 0
kind: Scheduled
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
  | summarize count() by SrcUsername, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = SrcUsername  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
requiredDataConnectors:
- connectorId: Claroty
  dataTypes:
  - ClarotyEvent
- connectorId: ClarotyAma
  dataTypes:
  - ClarotyEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
tactics:
- InitialAccess
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "properties": {
        "alertRuleTemplateName": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
        "customDetails": null,
        "description": "'Detects multiple failed logins by same user.'\n",
        "displayName": "Claroty - Multiple failed logins by user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml",
        "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}