Claroty - Multiple failed logins by user

let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = trim(' ', tostring(extract(@'User\s(.*?)\sfailed', 1, EventMessage)))
| where isnotempty(SrcUsername)
| summarize FailedLogins = count() by SrcUsername, bin(TimeGenerated, 5m)
| where FailedLogins > threshold
| extend AccountCustomEntity = SrcUsername

entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
tactics:
- CredentialAccess
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
alertDetailsOverride:
  alertDisplayNameFormat: Claroty multiple failed logins for {{SrcUsername}}
  alertDescriptionFormat: '{{FailedLogins}} failed logins for user {{SrcUsername}} exceeded the threshold in 5 minutes.'
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
severity: High
status: Available
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = trim(' ', tostring(extract(@'User\s(.*?)\sfailed', 1, EventMessage)))
  | where isnotempty(SrcUsername)
  | summarize FailedLogins = count() by SrcUsername, bin(TimeGenerated, 5m)
  | where FailedLogins > threshold
  | extend AccountCustomEntity = SrcUsername  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.4
name: Claroty - Multiple failed logins by user
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1110
- T1190
- T1133
description: Detects multiple failed logins by the same user in Claroty SRA event logs. The rule looks for failed Login to SRA events, extracts the source username from the event message, and alerts when a user exceeds 5 failed logins within 5 minutes.
triggerOperator: gt