SlackAudit - Multiple failed logins for user

Back


Id	93a91c37-032c-4380-847c-957c001957ad
Rulename	SlackAudit - Multiple failed logins for user
Description	This query helps to detect bruteforce of a user account.
Severity	Medium
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	SlackAuditAPI
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
Version	1.0.0
Arm template	93a91c37-032c-4380-847c-957c001957ad.json

KQL

let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName

YAML

requiredDataConnectors:
- dataTypes:
  - SlackAudit_CL
  connectorId: SlackAuditAPI
relevantTechniques:
- T1110
triggerOperator: gt
version: 1.0.0
queryFrequency: 1h
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
  entityType: Account
name: SlackAudit - Multiple failed logins for user
query: |
  let threshold = 10;
  SlackAudit
  | where DvcAction =~ 'user_login_failed'
  | summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
  | where count_ > threshold
  | extend AccountCustomEntity = SrcUserName  
tactics:
- CredentialAccess
queryPeriod: 1h
description: |
    'This query helps to detect bruteforce of a user account.'
kind: Scheduled
id: 93a91c37-032c-4380-847c-957c001957ad
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
status: Available

ARM