Claroty - Multiple failed logins by user

let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = trim(' ', tostring(extract(@'User\s(.*?)\sfailed', 1, EventMessage)))
| where isnotempty(SrcUsername)
| summarize FailedLogins = count() by SrcUsername, bin(TimeGenerated, 5m)
| where FailedLogins > threshold
| extend AccountCustomEntity = SrcUsername

entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
triggerOperator: gt
tactics:
- CredentialAccess
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
alertDetailsOverride:
  alertDescriptionFormat: '{{FailedLogins}} failed logins for user {{SrcUsername}} exceeded the threshold in 5 minutes.'
  alertDisplayNameFormat: Claroty multiple failed logins for {{SrcUsername}}
version: 1.0.4
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = trim(' ', tostring(extract(@'User\s(.*?)\sfailed', 1, EventMessage)))
  | where isnotempty(SrcUsername)
  | summarize FailedLogins = count() by SrcUsername, bin(TimeGenerated, 5m)
  | where FailedLogins > threshold
  | extend AccountCustomEntity = SrcUsername  
triggerThreshold: 0
relevantTechniques:
- T1110
- T1190
- T1133
queryPeriod: 1h
status: Available
severity: High
kind: Scheduled
name: Claroty - Multiple failed logins by user
queryFrequency: 1h
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
description: Detects multiple failed logins by the same user in Claroty SRA event logs. The rule looks for failed Login to SRA events, extracts the source username from the event message, and alerts when a user exceeds 5 failed logins within 5 minutes.
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma