let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
id: a9956d3a-07a9-44a6-a279-081a85020cae
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml
status: Available
tactics:
- CredentialAccess
name: ClientDeniedAccess
triggerThreshold: 0
relevantTechniques:
- T1110
kind: Scheduled
requiredDataConnectors:
- connectorId: SyslogAma
datatypes:
- Syslog
queryPeriod: 1h
triggerOperator: gt
query: |
let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: User
entityType: Account
- fieldMappings:
- identifier: Address
columnName: ClientIP
entityType: IP
version: 1.0.4
description: |
'Creates an incident in the event a Client has an excessive amounts of denied access requests.'
severity: Medium
