Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Claroty - Multiple failed logins by user

Back
Id4b5bb3fc-c690-4f54-9a74-016213d699b4
RulenameClaroty - Multiple failed logins by user
DescriptionDetects multiple failed logins by same user.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
T1133
Required data connectorsClaroty
ClarotyAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
Version1.0.1
Arm template4b5bb3fc-c690-4f54-9a74-016213d699b4.json
Deploy To Azure
let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
| summarize count() by SrcUsername, bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUsername
queryFrequency: 1h
severity: High
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
status: Available
requiredDataConnectors:
- dataTypes:
  - ClarotyEvent
  connectorId: Claroty
- dataTypes:
  - ClarotyEvent
  connectorId: ClarotyAma
kind: Scheduled
description: |
    'Detects multiple failed logins by same user.'
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = extract(@'User\s(.*?)\sfailed', 1, EventMessage)
  | summarize count() by SrcUsername, bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = SrcUsername  
tactics:
- InitialAccess
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
relevantTechniques:
- T1190
- T1133
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
version: 1.0.1
name: Claroty - Multiple failed logins by user
queryPeriod: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4b5bb3fc-c690-4f54-9a74-016213d699b4')]",
      "properties": {
        "alertRuleTemplateName": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
        "customDetails": null,
        "description": "'Detects multiple failed logins by same user.'\n",
        "displayName": "Claroty - Multiple failed logins by user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml",
        "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1133",
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}