Bitglass - Multiple failed logins

Back


Id	7c570bfc-9f20-490e-80e8-b898c7ce4bda
Rulename	Bitglass - Multiple failed logins
Description	Detects multiple failed logins.
Severity	High
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassMultipleFailedLogins.yaml
Version	1.0.1
Arm template	7c570bfc-9f20-490e-80e8-b898c7ce4bda.json

KQL

let threshold = 10;
Bitglass
| where EventType =~ 'access'
| where EventResultDetails =~ 'Failed login attempt.'
| summarize count() by User, bin(TimeGenerated, 10m)
| where count_ >= threshold
| extend AccountCustomEntity = User

YAML

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassMultipleFailedLogins.yaml
name: Bitglass - Multiple failed logins
relevantTechniques:
- T1110
status: Available
version: 1.0.1
queryPeriod: 1h
kind: Scheduled
id: 7c570bfc-9f20-490e-80e8-b898c7ce4bda
query: |
  let threshold = 10;
  Bitglass
  | where EventType =~ 'access'
  | where EventResultDetails =~ 'Failed login attempt.'
  | summarize count() by User, bin(TimeGenerated, 10m)
  | where count_ >= threshold
  | extend AccountCustomEntity = User  
description: |
    'Detects multiple failed logins.'
queryFrequency: 1h
severity: High
triggerOperator: gt
tactics:
- CredentialAccess

ARM