Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Failed logon attempts in authpriv

Back
Ide7ec9fa6-e7f7-41ed-a34b-b956837a3ee6
RulenameFailed logon attempts in authpriv
DescriptionIdentifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn’t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren’t authorized to access.

If there are many of hits, especially from outside your network, it could indicate a brute force attack.

Default threshold for logon attempts is 15.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
Version1.0.5
Arm templatee7ec9fa6-e7f7-41ed-a34b-b956837a3ee6.json
Deploy To Azure
let threshold = 15;
// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.
// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages
// are aggregated.
Syslog
| where Facility =~ "authpriv"
| where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
| extend RemoteIP = extract(@".*?rhost=([\d.]+).*?", 1,SyslogMessage)
| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
| join kind=innerunique (
    // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. 
    Syslog 
    | where Facility =~ "authpriv"
    | where SyslogMessage has "user unknown"
    | project Computer, HostIP, ProcessID
    ) on Computer, HostIP, ProcessID
// Count the number of failed logon attempts by External IP and internal machine
| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP
// Calculate the time between first and last logon attempt (AttemptPeriodLength)
| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
| where TotalLogonAttempts >= threshold
| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP
| sort by Computer asc nulls last
id: e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6
name: Failed logon attempts in authpriv
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
- connectorId: SyslogAma
  dataTypes:
  - Syslog
triggerOperator: gt
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
kind: Scheduled
description: |
  'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. 
  If there are many of hits, especially from outside your network, it could indicate a brute force attack. 
  Default threshold for logon attempts is 15.'  
relevantTechniques:
- T1110
queryPeriod: 1d
query: |
  let threshold = 15;
  // Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.
  // IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages
  // are aggregated.
  Syslog
  | where Facility =~ "authpriv"
  | where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
  | extend RemoteIP = extract(@".*?rhost=([\d.]+).*?", 1,SyslogMessage)
  | project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
  | join kind=innerunique (
      // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. 
      Syslog 
      | where Facility =~ "authpriv"
      | where SyslogMessage has "user unknown"
      | project Computer, HostIP, ProcessID
      ) on Computer, HostIP, ProcessID
  // Count the number of failed logon attempts by External IP and internal machine
  | summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP
  // Calculate the time between first and last logon attempt (AttemptPeriodLength)
  | extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
  | where TotalLogonAttempts >= threshold
  | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP
  | sort by Computer asc nulls last  
queryFrequency: 1d
version: 1.0.5
tactics:
- CredentialAccess
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: Computer
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: HostIP
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6')]",
      "properties": {
        "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6",
        "customDetails": null,
        "description": "'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.'\n",
        "displayName": "Failed logon attempts in authpriv",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml",
        "query": "let threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nSyslog\n| where Facility =~ \"authpriv\"\n| where SyslogMessage has \"authentication failure\" and SyslogMessage has \" uid=0\"\n| extend RemoteIP = extract(@\".*?rhost=([\\d.]+).*?\", 1,SyslogMessage)\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\n| join kind=innerunique (\n    // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \n    Syslog \n    | where Facility =~ \"authpriv\"\n    | where SyslogMessage has \"user unknown\"\n    | project Computer, HostIP, ProcessID\n    ) on Computer, HostIP, ProcessID\n// Count the number of failed logon attempts by External IP and internal machine\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\n| where TotalLogonAttempts >= threshold\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP\n| sort by Computer asc nulls last\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}