Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Audit - Logon Authentication Failed

Back
Id9c5dcd76-9f6d-42a3-b984-314b52678f20
RulenameMimecast Audit - Logon Authentication Failed
DescriptionDetects threat when logon authentication failure found in audit
SeverityHigh
TacticsDiscovery
InitialAccess
CredentialAccess
TechniquesT1110
Required data connectorsMimecastAuditAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold3
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
Version1.0.0
Arm template9c5dcd76-9f6d-42a3-b984-314b52678f20.json
Deploy To Azure
MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
relevantTechniques:
- T1110
customDetails: 
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: 1d
kind: Scheduled
severity: High
enabled: true
queryFrequency: 5m
suppressionDuration: 5h
triggerOperator: gt
displayName: Mimecast Audit - Logon Authentication Failed
triggerThreshold: 3
apiVersion: 2021-09-01-preview
name: Mimecast Audit - Logon Authentication Failed
tactics:
- Discovery
- InitialAccess
- CredentialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
queryPeriod: 15m
version: 1.0.0
description: Detects threat when logon authentication failure found in audit
alertDetailsOverride: 
id: 9c5dcd76-9f6d-42a3-b984-314b52678f20
entityMappings:
- fieldMappings:
  - columnName: src_s
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: user_s
    identifier: MailboxPrimaryAddress
  entityType: Mailbox
- fieldMappings:
  - columnName: app_s
    identifier: AppId
  entityType: CloudApplication
eventGroupingSettings:
  aggregationKind: SingleAlert
alertRuleTemplateName: 
requiredDataConnectors:
- connectorId: MimecastAuditAPI
  dataTypes:
  - MimecastAudit_CL
query: MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
suppressionEnabled: false
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "9c5dcd76-9f6d-42a3-b984-314b52678f20",
        "apiVersion": "2021-09-01-preview",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "src_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "user_s",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "app_s",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml",
        "query": "MimecastAudit_CL | where src_s !=\"\" and auditType_s == \"Logon Authentication Failed\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}