GWorkspace - Possible brute force attack

Back


Id	8f6cd9a4-5e57-11ec-bf63-0242ac130002
Rulename	GWorkspace - Possible brute force attack
Description	Detects possible brute force attack.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	GoogleWorkspaceReportsAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleBruteForce.yaml
Version	1.0.1
Arm template	8f6cd9a4-5e57-11ec-bf63-0242ac130002.json

KQL

let threshold = 5;
GWorkspaceActivityReports
| where EventMessage has "login_failure"
| summarize login_attempts = count() by ActorEmail, bin(TimeGenerated, 5m)
| where login_attempts > threshold
| extend AccountCustomEntity = ActorEmail

YAML

name: GWorkspace - Possible brute force attack
relevantTechniques:
- T1110
id: 8f6cd9a4-5e57-11ec-bf63-0242ac130002
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleBruteForce.yaml
requiredDataConnectors:
- dataTypes:
  - GWorkspaceActivityReports
  connectorId: GoogleWorkspaceReportsAPI
version: 1.0.1
severity: Medium
triggerThreshold: 0
queryPeriod: 1h
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
queryFrequency: 1h
status: Available
query: |
  let threshold = 5;
  GWorkspaceActivityReports
  | where EventMessage has "login_failure"
  | summarize login_attempts = count() by ActorEmail, bin(TimeGenerated, 5m)
  | where login_attempts > threshold
  | extend AccountCustomEntity = ActorEmail  
tactics:
- CredentialAccess
kind: Scheduled
description: |
    'Detects possible brute force attack.'
triggerOperator: gt

ARM