let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- entityType: IP
fieldMappings:
- identifier: Address
columnName: ClientIP
requiredDataConnectors:
- datatypes:
- Syslog
connectorId: SyslogAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Symantec VIP/Analytic Rules/ClientDeniedAccess.yaml
name: ClientDeniedAccess
status: Available
relevantTechniques:
- T1110
query: |
let threshold = 15;
let rejectedAccess = SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| summarize Total = count() by ClientIP, bin(TimeGenerated, 15m)
| where Total > threshold
| project ClientIP;
SymantecVIP
| where isnotempty(RADIUSAuth)
| where RADIUSAuth =~ "Reject"
| join kind=inner rejectedAccess on ClientIP
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), count() by ClientIP, User
version: 1.0.4
queryPeriod: 1h
kind: Scheduled
id: a9956d3a-07a9-44a6-a279-081a85020cae
description: |
'Creates an incident in the event a Client has an excessive amounts of denied access requests.'
queryFrequency: 1h
severity: Medium
triggerOperator: gt
tactics:
- CredentialAccess
