Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Audit - Logon Authentication Failed

Back
Id9c5dcd76-9f6d-42a3-b984-314b52678f20
RulenameMimecast Audit - Logon Authentication Failed
DescriptionDetects threat when logon authentication failure found in audit
SeverityHigh
TacticsDiscovery
InitialAccess
CredentialAccess
TechniquesT1110
Required data connectorsMimecastAuditAPI
KindScheduled
Query frequency5m
Query period15m
Trigger threshold3
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
Version1.0.0
Arm template9c5dcd76-9f6d-42a3-b984-314b52678f20.json
Deploy To Azure
MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
queryPeriod: 15m
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml
requiredDataConnectors:
- dataTypes:
  - MimecastAudit_CL
  connectorId: MimecastAuditAPI
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: src_s
- entityType: Mailbox
  fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: user_s
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: app_s
apiVersion: 2021-09-01-preview
query: MimecastAudit_CL | where src_s !="" and auditType_s == "Logon Authentication Failed"
displayName: Mimecast Audit - Logon Authentication Failed
relevantTechniques:
- T1110
tactics:
- Discovery
- InitialAccess
- CredentialAccess
queryFrequency: 5m
alertDetailsOverride: 
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 1d
    matchingMethod: AllEntities
    enabled: true
description: Detects threat when logon authentication failure found in audit
version: 1.0.0
id: 9c5dcd76-9f6d-42a3-b984-314b52678f20
alertRuleTemplateName: 
kind: Scheduled
enabled: true
suppressionDuration: 5h
customDetails: 
name: Mimecast Audit - Logon Authentication Failed
triggerThreshold: 3
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9c5dcd76-9f6d-42a3-b984-314b52678f20')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "9c5dcd76-9f6d-42a3-b984-314b52678f20",
        "apiVersion": "2021-09-01-preview",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "src_s",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "user_s",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "app_s",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P1D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MimecastAudit/Analytic Rules/MimecastAudit.yaml",
        "query": "MimecastAudit_CL | where src_s !=\"\" and auditType_s == \"Logon Authentication Failed\"",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT15M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}