SlackAudit - Multiple failed logins for user

Back


Id	93a91c37-032c-4380-847c-957c001957ad
Rulename	SlackAudit - Multiple failed logins for user
Description	This query helps to detect bruteforce of a user account.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
Version	1.0.0
Arm template	93a91c37-032c-4380-847c-957c001957ad.json

KQL

let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName

YAML

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
name: SlackAudit - Multiple failed logins for user
relevantTechniques:
- T1110
status: Available
version: 1.0.0
queryPeriod: 1h
kind: Scheduled
id: 93a91c37-032c-4380-847c-957c001957ad
query: |
  let threshold = 10;
  SlackAudit
  | where DvcAction =~ 'user_login_failed'
  | summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = SrcUserName  
description: |
    'This query helps to detect bruteforce of a user account.'
queryFrequency: 1h
severity: Medium
triggerOperator: gt
tactics:
- CredentialAccess

ARM