let threshold = 5;
VersasecCmsSysLogs
| where EventId == 2
| sort by ComputerName asc, TimeGenerated asc
| extend TimeDiff = datetime_diff('minute', TimeGenerated, prev(TimeGenerated))
| where TimeDiff <= threshold and ComputerName == prev(ComputerName)
name: Versasec CMS - Multiple Failed Login Attempts
relevantTechniques:
- T1110
id: B1DB8B7E-9D74-48C3-9683-74483CBEFF4E
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VersasecCMS/Analytic Rules/VersasecCmsOperatorLoginFailed.yaml
requiredDataConnectors:
- dataTypes:
- VersasecCmsSysLogs
connectorId: VersasecCms
eventGroupingSettings:
aggregationKind: SingleAlert
version: 1.0.1
severity: High
triggerThreshold: 5
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: ComputerName
entityType: Host
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 5m
enabled: false
createIncident: true
queryFrequency: 5m
status: Available
query: |
let threshold = 5;
VersasecCmsSysLogs
| where EventId == 2
| sort by ComputerName asc, TimeGenerated asc
| extend TimeDiff = datetime_diff('minute', TimeGenerated, prev(TimeGenerated))
| where TimeDiff <= threshold and ComputerName == prev(ComputerName)
tactics:
- CredentialAccess
kind: Scheduled
description: |
Detects when Operator login failed to often.
triggerOperator: gt
