Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Claroty - Multiple failed logins by user

Back
Id4b5bb3fc-c690-4f54-9a74-016213d699b4
RulenameClaroty - Multiple failed logins by user
DescriptionDetects multiple failed logins by same user.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsClaroty
ClarotyAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
Version1.0.1
Arm template4b5bb3fc-c690-4f54-9a74-016213d699b4.json
Deploy To Azure
let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
| summarize count() by SrcUsername, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUsername
status: Available
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
name: Claroty - Multiple failed logins by user
requiredDataConnectors:
- connectorId: Claroty
  dataTypes:
  - ClarotyEvent
- connectorId: ClarotyAma
  dataTypes:
  - ClarotyEvent
severity: High
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
kind: Scheduled
description: |
    'Detects multiple failed logins by same user.'
relevantTechniques:
- T1190
- T1133
queryPeriod: 1h
triggerOperator: gt
queryFrequency: 1h
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
  | summarize count() by SrcUsername, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = SrcUsername  
version: 1.0.1
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "properties": {
        "alertRuleTemplateName": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
        "customDetails": null,
        "description": "'Detects multiple failed logins by same user.'\n",
        "displayName": "Claroty - Multiple failed logins by user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml",
        "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}