Bitglass - Multiple failed logins

Back


Id	7c570bfc-9f20-490e-80e8-b898c7ce4bda
Rulename	Bitglass - Multiple failed logins
Description	Detects multiple failed logins.
Severity	High
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassMultipleFailedLogins.yaml
Version	1.0.1
Arm template	7c570bfc-9f20-490e-80e8-b898c7ce4bda.json

KQL

let threshold = 10;
Bitglass
| where EventType =~ 'access'
| where EventResultDetails =~ 'Failed login attempt.'
| summarize count() by User, bin(TimeGenerated, 10m)
| where count_ >= threshold
| extend AccountCustomEntity = User

YAML

entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
severity: High
name: Bitglass - Multiple failed logins
triggerThreshold: 0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassMultipleFailedLogins.yaml
id: 7c570bfc-9f20-490e-80e8-b898c7ce4bda
kind: Scheduled
status: Available
queryFrequency: 1h
relevantTechniques:
- T1110
description: |
    'Detects multiple failed logins.'
query: |
  let threshold = 10;
  Bitglass
  | where EventType =~ 'access'
  | where EventResultDetails =~ 'Failed login attempt.'
  | summarize count() by User, bin(TimeGenerated, 10m)
  | where count_ >= threshold
  | extend AccountCustomEntity = User  
version: 1.0.1
tactics:
- CredentialAccess
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass

ARM