Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Failed logon attempts in authpriv

Back
Ide7ec9fa6-e7f7-41ed-a34b-b956837a3ee6
RulenameFailed logon attempts in authpriv
DescriptionIdentifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in

isn’t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren’t authorized to access.

If there are many of hits, especially from outside your network, it could indicate a brute force attack.

Default threshold for logon attempts is 15.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslog
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
Version1.0.1
Arm templatee7ec9fa6-e7f7-41ed-a34b-b956837a3ee6.json
Deploy To Azure
let threshold = 15;
// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.
// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages
// are aggregated.
Syslog
| where Facility =~ "authpriv"
| where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
| parse SyslogMessage with * "rhost=" RemoteIP
| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
| join kind=innerunique (
    // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. 
    Syslog 
    | where Facility =~ "authpriv"
    | where SyslogMessage has "user unknown"
    | project Computer, HostIP, ProcessID
    ) on Computer, HostIP, ProcessID
// Count the number of failed logon attempts by External IP and internal machine
| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP
// Calculate the time between first and last logon attempt (AttemptPeriodLength)
| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
| where TotalLogonAttempts >= threshold
| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP
| sort by DestinationHost asc nulls last
| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress
queryFrequency: 1d
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1110
query: |
  let threshold = 15;
  // Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.
  // IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages
  // are aggregated.
  Syslog
  | where Facility =~ "authpriv"
  | where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
  | parse SyslogMessage with * "rhost=" RemoteIP
  | project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
  | join kind=innerunique (
      // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. 
      Syslog 
      | where Facility =~ "authpriv"
      | where SyslogMessage has "user unknown"
      | project Computer, HostIP, ProcessID
      ) on Computer, HostIP, ProcessID
  // Count the number of failed logon attempts by External IP and internal machine
  | summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP
  // Calculate the time between first and last logon attempt (AttemptPeriodLength)
  | extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
  | where TotalLogonAttempts >= threshold
  | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP
  | sort by DestinationHost asc nulls last
  | extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress  
id: e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6
triggerOperator: gt
version: 1.0.1
description: |
  'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in 
  isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. 
  If there are many of hits, especially from outside your network, it could indicate a brute force attack. 
  Default threshold for logon attempts is 15.'  
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
requiredDataConnectors:
- connectorId: Syslog
  dataTypes:
  - Syslog
name: Failed logon attempts in authpriv
tactics:
- CredentialAccess
kind: Scheduled
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Failed logon attempts in authpriv",
        "description": "'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in \nisn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nSyslog\n| where Facility =~ \"authpriv\"\n| where SyslogMessage has \"authentication failure\" and SyslogMessage has \" uid=0\"\n| parse SyslogMessage with * \"rhost=\" RemoteIP\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\n| join kind=innerunique (\n    // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \n    Syslog \n    | where Facility =~ \"authpriv\"\n    | where SyslogMessage has \"user unknown\"\n    | project Computer, HostIP, ProcessID\n    ) on Computer, HostIP, ProcessID\n// Count the number of failed logon attempts by External IP and internal machine\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\n| where TotalLogonAttempts >= threshold\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, DestinationHost = Computer, DestinationAddress = HostIP\n| sort by DestinationHost asc nulls last\n| extend timestamp = FirstLogonAttempt, HostCustomEntity = DestinationHost, IPCustomEntity = DestinationAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "HostCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}