let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName
triggerOperator: gt
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SlackAuditAPI
dataTypes:
- SlackAudit_CL
relevantTechniques:
- T1110
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
query: |
let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
queryPeriod: 1h
name: SlackAudit - Multiple failed logins for user
status: Available
kind: Scheduled
description: |
'This query helps to detect bruteforce of a user account.'
id: 93a91c37-032c-4380-847c-957c001957ad
version: 1.0.0
tactics:
- CredentialAccess
severity: Medium
