let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
relevantTechniques:
- T1110
entityMappings:
- fieldMappings:
- columnName: User
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: ClientIP
identifier: Address
entityType: IP
triggerThreshold: 0
description: |
'Creates an incident in the event a Client has an excessive amounts of denied access requests.'
requiredDataConnectors:
- connectorId: SyslogAma
datatypes:
- Syslog
triggerOperator: gt
version: 1.0.4
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml
id: a9956d3a-07a9-44a6-a279-081a85020cae
queryFrequency: 1h
query: |
let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
severity: Medium
status: Available
queryPeriod: 1h
name: ClientDeniedAccess
tactics:
- CredentialAccess
kind: Scheduled
