Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Utimaco ESKM - Multiple KMIP authentication failures from same IP

Utimaco ESKM - Multiple KMIP authentication failures from same IP

Back
Id9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01
RulenameUtimaco ESKM - Multiple KMIP authentication failures from same IP
DescriptionThis query searches for 5 or more KMIP “Authentication Failure” events originating from the same client IP within a 15 minute window on Utimaco ESKM. This may indicate brute-force or credential-stuffing activity against the KMIP server.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsUtimacoESKMConnector
KindScheduled
Query frequency15m
Query period15m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Utimaco Enterprise Secure Key Manager/Analytic Rules/UtimacoESKM_AuthFailureBruteForce.yaml
Version1.0.0
Arm template9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01.json
Deploy To Azure
UtimacoESKMKmipServerLogs_CL
| where TimeGenerated > ago(15m)
| where Event == "Authentication Failure"
| where isnotempty(IP)
| summarize FailureCount = count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Users = make_set(User, 50) by IP
| where FailureCount >= 5
| extend IPCustomEntity = IP

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tactics:
- CredentialAccess
requiredDataConnectors:
- dataTypes:
  - UtimacoESKMKmipServerLogs_CL
  connectorId: UtimacoESKMConnector
id: 9b1a3b3e-7e16-4a3b-8a8f-7f1f2b1c0a01
severity: Medium
status: Available
query: |
  UtimacoESKMKmipServerLogs_CL
  | where TimeGenerated > ago(15m)
  | where Event == "Authentication Failure"
  | where isnotempty(IP)
  | summarize FailureCount = count(), StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Users = make_set(User, 50) by IP
  | where FailureCount >= 5
  | extend IPCustomEntity = IP  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Utimaco Enterprise Secure Key Manager/Analytic Rules/UtimacoESKM_AuthFailureBruteForce.yaml
kind: Scheduled
queryPeriod: 15m
version: 1.0.0
name: Utimaco ESKM - Multiple KMIP authentication failures from same IP
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1110
description: |
    This query searches for 5 or more KMIP "Authentication Failure" events originating from the same client IP within a 15 minute window on Utimaco ESKM. This may indicate brute-force or credential-stuffing activity against the KMIP server.
triggerOperator: gt