GWorkspace - Possible brute force attack

Back


Id	8f6cd9a4-5e57-11ec-bf63-0242ac130002
Rulename	GWorkspace - Possible brute force attack
Description	Detects possible brute force attack.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	GoogleWorkspaceReportsAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleBruteForce.yaml
Version	1.0.1
Arm template	8f6cd9a4-5e57-11ec-bf63-0242ac130002.json

KQL

let threshold = 5;
GWorkspaceActivityReports
| where EventMessage has "login_failure"
| summarize login_attempts = count() by ActorEmail, bin(TimeGenerated, 5m)
| where login_attempts > threshold
| extend AccountCustomEntity = ActorEmail

YAML

relevantTechniques:
- T1110
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
triggerThreshold: 0
description: |
    'Detects possible brute force attack.'
requiredDataConnectors:
- connectorId: GoogleWorkspaceReportsAPI
  dataTypes:
  - GWorkspaceActivityReports
triggerOperator: gt
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GoogleWorkspaceReports/Analytic Rules/GWorkspacePossibleBruteForce.yaml
id: 8f6cd9a4-5e57-11ec-bf63-0242ac130002
queryFrequency: 1h
query: |
  let threshold = 5;
  GWorkspaceActivityReports
  | where EventMessage has "login_failure"
  | summarize login_attempts = count() by ActorEmail, bin(TimeGenerated, 5m)
  | where login_attempts > threshold
  | extend AccountCustomEntity = ActorEmail  
severity: Medium
status: Available
queryPeriod: 1h
name: GWorkspace - Possible brute force attack
tactics:
- CredentialAccess
kind: Scheduled

ARM