Claroty - Multiple failed logins by user

let threshold = 5;
ClarotyEvent
| where EventType has 'Login to SRA'
| where EventType !has 'succeeded'
| extend SrcUsername = trim(' ', tostring(extract(@'User\s(.*?)\sfailed', 1, EventMessage)))
| where isnotempty(SrcUsername)
| summarize FailedLogins = count() by SrcUsername, bin(TimeGenerated, 5m)
| where FailedLogins > threshold
| extend AccountCustomEntity = SrcUsername

name: Claroty - Multiple failed logins by user
query: |
  let threshold = 5;
  ClarotyEvent
  | where EventType has 'Login to SRA'
  | where EventType !has 'succeeded'
  | extend SrcUsername = trim(' ', tostring(extract(@'User\s(.*?)\sfailed', 1, EventMessage)))
  | where isnotempty(SrcUsername)
  | summarize FailedLogins = count() by SrcUsername, bin(TimeGenerated, 5m)
  | where FailedLogins > threshold
  | extend AccountCustomEntity = SrcUsername  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
queryPeriod: 1h
version: 1.0.4
tactics:
- CredentialAccess
- InitialAccess
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
alertDetailsOverride:
  alertDescriptionFormat: '{{FailedLogins}} failed logins for user {{SrcUsername}} exceeded the threshold in 5 minutes.'
  alertDisplayNameFormat: Claroty multiple failed logins for {{SrcUsername}}
relevantTechniques:
- T1110
- T1190
- T1133
id: 4b5bb3fc-c690-4f54-9a74-016213d699b4
severity: High
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
status: Available
description: Detects multiple failed logins by the same user in Claroty SRA event logs. The rule looks for failed Login to SRA events, extracts the source username from the event message, and alerts when a user exceeds 5 failed logins within 5 minutes.
queryFrequency: 1h