Cisco Duo - Multiple admin 2FA failures

Back


Id	e46c5588-e643-4a60-a008-5ba9a4c84328
Rulename	Cisco Duo - Multiple admin 2FA failures
Description	Detects when multiple admin 2FA failures occurs.
Severity	High
Tactics	InitialAccess
Techniques	T1078
Required data connectors	CiscoDuoSecurity
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml
Version	1.0.1
Arm template	e46c5588-e643-4a60-a008-5ba9a4c84328.json

KQL

let threshold = 10;
CiscoDuo
| where DvcAction =~ "admin_2fa_error"
| summarize count() by DstUserName, bin(TimeGenerated, 10m)
| where count_ > threshold
| extend AccountCustomEntity = DstUserName

YAML

relevantTechniques:
- T1078
name: Cisco Duo - Multiple admin 2FA failures
requiredDataConnectors:
- dataTypes:
  - CiscoDuo
  connectorId: CiscoDuoSecurity
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
triggerThreshold: 0
id: e46c5588-e643-4a60-a008-5ba9a4c84328
tactics:
- InitialAccess
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: High
status: Available
description: |
    'Detects when multiple admin 2FA failures occurs.'
query: |
  let threshold = 10;
  CiscoDuo
  | where DvcAction =~ "admin_2fa_error"
  | summarize count() by DstUserName, bin(TimeGenerated, 10m)
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e46c5588-e643-4a60-a008-5ba9a4c84328')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e46c5588-e643-4a60-a008-5ba9a4c84328')]",
      "properties": {
        "alertRuleTemplateName": "e46c5588-e643-4a60-a008-5ba9a4c84328",
        "customDetails": null,
        "description": "'Detects when multiple admin 2FA failures occurs.'\n",
        "displayName": "Cisco Duo - Multiple admin 2FA failures",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoAdminMFAFailures.yaml",
        "query": "let threshold = 10;\nCiscoDuo\n| where DvcAction =~ \"admin_2fa_error\"\n| summarize count() by DstUserName, bin(TimeGenerated, 10m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}