let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName
version: 1.0.0
id: 93a91c37-032c-4380-847c-957c001957ad
name: SlackAudit - Multiple failed logins for user
queryPeriod: 1h
requiredDataConnectors:
- connectorId: SlackAuditAPI
dataTypes:
- SlackAudit_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SlackAudit/Analytic Rules/SlackAuditMultipleFailedLoginsForUser.yaml
query: |
let threshold = 10;
SlackAudit
| where DvcAction =~ 'user_login_failed'
| summarize count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
| where count_ > threshold
| extend AccountCustomEntity = SrcUserName
relevantTechniques:
- T1110
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
severity: Medium
kind: Scheduled
triggerThreshold: 0
triggerOperator: gt
tactics:
- CredentialAccess
status: Available
queryFrequency: 1h
description: |
'This query helps to detect bruteforce of a user account.'
