Cisco Duo - Multiple admin 2FA failures

Back


Id	e46c5588-e643-4a60-a008-5ba9a4c84328
Rulename	Cisco Duo - Multiple admin 2FA failures
Description	Detects when multiple admin 2FA failures occurs.
Severity	High
Tactics	InitialAccess
Techniques	T1078
Required data connectors	CiscoDuoSecurity
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml
Version	1.0.1
Arm template	e46c5588-e643-4a60-a008-5ba9a4c84328.json

KQL

let threshold = 10;
CiscoDuo
| where DvcAction =~ "admin_2fa_error"
| summarize count() by DstUserName, bin(TimeGenerated, 10m)
| where count_ > threshold
| extend AccountCustomEntity = DstUserName

YAML

id: e46c5588-e643-4a60-a008-5ba9a4c84328
tactics:
- InitialAccess
queryPeriod: 1h
triggerThreshold: 0
name: Cisco Duo - Multiple admin 2FA failures
query: |
  let threshold = 10;
  CiscoDuo
  | where DvcAction =~ "admin_2fa_error"
  | summarize count() by DstUserName, bin(TimeGenerated, 10m)
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
severity: High
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CiscoDuoSecurity
  dataTypes:
  - CiscoDuo
description: |
    'Detects when multiple admin 2FA failures occurs.'
status: Available
version: 1.0.1
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e46c5588-e643-4a60-a008-5ba9a4c84328')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e46c5588-e643-4a60-a008-5ba9a4c84328')]",
      "properties": {
        "alertRuleTemplateName": "e46c5588-e643-4a60-a008-5ba9a4c84328",
        "customDetails": null,
        "description": "'Detects when multiple admin 2FA failures occurs.'\n",
        "displayName": "Cisco Duo - Multiple admin 2FA failures",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml",
        "query": "let threshold = 10;\nCiscoDuo\n| where DvcAction =~ \"admin_2fa_error\"\n| summarize count() by DstUserName, bin(TimeGenerated, 10m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}