Mimecast Audit - Logon Authentication Failed

Back


Id	9c5dcd76-9f6d-42a3-b984-314b52678f20
Rulename	Mimecast Audit - Logon Authentication Failed
Description	Detects threat when logon authentication failure found in audit
Severity	High
Tactics	Discovery InitialAccess CredentialAccess
Techniques	T1110
Required data connectors	MimecastAuditAPI
Kind	Scheduled
Query frequency	5m
Query period	15m
Trigger threshold	3
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
Version	1.0.0
Arm template	9c5dcd76-9f6d-42a3-b984-314b52678f20.json

KQL

MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"

YAML

queryFrequency: 5m
customDetails: 
triggerThreshold: 3
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: 1d
    enabled: true
    reopenClosedIncident: false
relevantTechniques:
- T1110
id: 9c5dcd76-9f6d-42a3-b984-314b52678f20
triggerOperator: gt
severity: High
queryPeriod: 15m
alertDetailsOverride: 
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: src_s
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: user_s
    identifier: MailboxPrimaryAddress
- entityType: CloudApplication
  fieldMappings:
  - columnName: app_s
    identifier: AppId
name: Mimecast Audit - Logon Authentication Failed
apiVersion: 2021-09-01-preview
kind: Scheduled
tactics:
- Discovery
- InitialAccess
- CredentialAccess
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
query: MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
displayName: Mimecast Audit - Logon Authentication Failed
enabled: true
alertRuleTemplateName: 
requiredDataConnectors:
- dataTypes:
  - MimecastAudit_CL
  connectorId: MimecastAuditAPI
version: 1.0.0
description: Detects threat when logon authentication failure found in audit

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "description": "Detects threat when logon authentication failure found in audit",
        "severity": "High",
        "enabled": true,
        "query": "MimecastAudit_CL | where src_s !=\"\" and auditType_s == \"Logon Authentication Failed\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3,
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery",
          "InitialAccess",
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": null,
        "incidentConfiguration": {
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          },
          "createIncident": true
        },
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "alertDetailsOverride": null,
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "src_s"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "MailboxPrimaryAddress",
                "columnName": "user_s"
              }
            ],
            "entityType": "Mailbox"
          },
          {
            "fieldMappings": [
              {
                "identifier": "AppId",
                "columnName": "app_s"
              }
            ],
            "entityType": "CloudApplication"
          }
        ],
        "apiVersion": "2021-09-01-preview",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml",
        "templateVersion": "1.0.0"
      }
    }
  ]
}