Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. ClientDeniedAccess

ClientDeniedAccess

Back
Ida9956d3a-07a9-44a6-a279-081a85020cae
RulenameClientDeniedAccess
DescriptionCreates an incident in the event a Client has an excessive amounts of denied access requests.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslogAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml
Version1.0.4
Arm templatea9956d3a-07a9-44a6-a279-081a85020cae.json
Deploy To Azure
let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User

description: |
    'Creates an incident in the event a Client has an excessive amounts of denied access requests.'
kind: Scheduled
tactics:
- CredentialAccess
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml
severity: Medium
name: ClientDeniedAccess
triggerThreshold: 0
queryPeriod: 1h
query: |
  let threshold = 15;
  let rejectedAccess = SymantecVIP
  | where isnotempty(RADIUSAuth)
  | where RADIUSAuth =~ "Reject"
  | summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
  | where Total > threshold
  | project ClientIP;
  SymantecVIP
  | where isnotempty(RADIUSAuth)
  | where RADIUSAuth =~ "Reject"
  | join kind=inner rejectedAccess on ClientIP
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User  
relevantTechniques:
- T1110
id: a9956d3a-07a9-44a6-a279-081a85020cae
queryFrequency: 1h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: ClientIP
    identifier: Address
triggerOperator: gt
version: 1.0.4
status: Available