let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName
relevantTechniques:
- T1110
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
entityType: Account
triggerThreshold: 0
description: |
'This query helps to detect bruteforce of a user account.'
requiredDataConnectors:
- connectorId: SlackAuditAPI
dataTypes:
- SlackAudit_CL
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
id: 93a91c37-032c-4380-847c-957c001957ad
queryFrequency: 1h
query: |
let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName
severity: Medium
status: Available
queryPeriod: 1h
name: SlackAudit - Multiple failed logins for user
tactics:
- CredentialAccess
kind: Scheduled
