Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Failed Logins from Unknown or Invalid User

Back
Id884be6e7-e568-418e-9c12-89229865ffde
RulenameFailed Logins from Unknown or Invalid User
DescriptionThis query searches for numerous login attempts to the management console with an unknown or invalid user name
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsOktaSSO
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml
Version1.0.2
Arm template884be6e7-e568-418e-9c12-89229865ffde.json
Deploy To Azure
let FailureThreshold = 15;
let FailedLogins = Okta_CL
| where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)
| where count_ > FailureThreshold
| project client_ipAddress_s, actor_alternateId_s;
Okta_CL
| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s
| where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), column_ifexists('published_t', now())
| sort by column_ifexists('published_t', now()) desc
| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s
requiredDataConnectors:
- connectorId: OktaSSO
  dataTypes:
  - Okta_CL
triggerOperator: gt
queryFrequency: 1h
name: Failed Logins from Unknown or Invalid User
status: Available
queryPeriod: 1h
id: 884be6e7-e568-418e-9c12-89229865ffde
description: |
    'This query searches for numerous login attempts to the management console with an unknown or invalid user name'
severity: Medium
query: |
  let FailureThreshold = 15;
  let FailedLogins = Okta_CL
  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
  | summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)
  | where count_ > FailureThreshold
  | project client_ipAddress_s, actor_alternateId_s;
  Okta_CL
  | join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s
  | where eventType_s =~ "user.session.start" and outcome_reason_s =~ "VERIFICATION_ERROR"
  | summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', ""), Country = column_ifexists('client_geographicalContext_country_s', ""), column_ifexists('published_t', now())
  | sort by column_ifexists('published_t', now()) desc
  | extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s  
version: 1.0.2
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
relevantTechniques:
- T1110
tactics:
- CredentialAccess
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/884be6e7-e568-418e-9c12-89229865ffde')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/884be6e7-e568-418e-9c12-89229865ffde')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Failed Logins from Unknown or Invalid User",
        "description": "'This query searches for numerous login attempts to the management console with an unknown or invalid user name'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let FailureThreshold = 15;\nlet FailedLogins = Okta_CL\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, client_ipAddress_s, bin(TimeGenerated, 5m)\n| where count_ > FailureThreshold\n| project client_ipAddress_s, actor_alternateId_s;\nOkta_CL\n| join kind=inner (FailedLogins) on client_ipAddress_s, actor_alternateId_s\n| where eventType_s =~ \"user.session.start\" and outcome_reason_s =~ \"VERIFICATION_ERROR\"\n| summarize count() by actor_alternateId_s, ClientIP = client_ipAddress_s, City = column_ifexists('client_geographicalContext_city_s', \"\"), Country = column_ifexists('client_geographicalContext_country_s', \"\"), column_ifexists('published_t', now())\n| sort by column_ifexists('published_t', now()) desc\n| extend timestamp = column_ifexists('published_t', now()), IPCustomEntity = ClientIP, AccountCustomEntity = actor_alternateId_s\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "884be6e7-e568-418e-9c12-89229865ffde",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "templateVersion": "1.0.2",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Okta Single Sign-On/Analytic Rules/FailedLoginsFromUnknownOrInvalidUser.yaml",
        "status": "Available"
      }
    }
  ]
}