Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Failed logon attempts in authpriv

Back
Ide7ec9fa6-e7f7-41ed-a34b-b956837a3ee6
RulenameFailed logon attempts in authpriv
DescriptionIdentifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn’t provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren’t authorized to access.

If there are many of hits, especially from outside your network, it could indicate a brute force attack.

Default threshold for logon attempts is 15.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslog
SyslogAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
Version1.0.5
Arm templatee7ec9fa6-e7f7-41ed-a34b-b956837a3ee6.json
Deploy To Azure
let threshold = 15;
// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.
// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages
// are aggregated.
Syslog
| where Facility =~ "authpriv"
| where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
| extend RemoteIP = extract(@".*?rhost=([\d.]+).*?", 1,SyslogMessage)
| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
| join kind=innerunique (
    // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. 
    Syslog 
    | where Facility =~ "authpriv"
    | where SyslogMessage has "user unknown"
    | project Computer, HostIP, ProcessID
    ) on Computer, HostIP, ProcessID
// Count the number of failed logon attempts by External IP and internal machine
| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP
// Calculate the time between first and last logon attempt (AttemptPeriodLength)
| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
| where TotalLogonAttempts >= threshold
| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP
| sort by Computer asc nulls last
queryPeriod: 1d
version: 1.0.5
tactics:
- CredentialAccess
queryFrequency: 1d
id: e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - Syslog
  connectorId: Syslog
- dataTypes:
  - Syslog
  connectorId: SyslogAma
severity: Medium
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: HostIP
    identifier: Address
triggerThreshold: 0
relevantTechniques:
- T1110
query: |
  let threshold = 15;
  // Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.
  // IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages
  // are aggregated.
  Syslog
  | where Facility =~ "authpriv"
  | where SyslogMessage has "authentication failure" and SyslogMessage has " uid=0"
  | extend RemoteIP = extract(@".*?rhost=([\d.]+).*?", 1,SyslogMessage)
  | project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID
  | join kind=innerunique (
      // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. 
      Syslog 
      | where Facility =~ "authpriv"
      | where SyslogMessage has "user unknown"
      | project Computer, HostIP, ProcessID
      ) on Computer, HostIP, ProcessID
  // Count the number of failed logon attempts by External IP and internal machine
  | summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP
  // Calculate the time between first and last logon attempt (AttemptPeriodLength)
  | extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt
  | where TotalLogonAttempts >= threshold
  | project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP
  | sort by Computer asc nulls last  
kind: Scheduled
name: Failed logon attempts in authpriv
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml
description: |
  'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. 
  If there are many of hits, especially from outside your network, it could indicate a brute force attack. 
  Default threshold for logon attempts is 15.'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6')]",
      "properties": {
        "alertRuleTemplateName": "e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6",
        "customDetails": null,
        "description": "'Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. \nIf there are many of hits, especially from outside your network, it could indicate a brute force attack. \nDefault threshold for logon attempts is 15.'\n",
        "displayName": "Failed logon attempts in authpriv",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "HostIP",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Syslog/Analytic Rules/FailedLogonAttempts_UnknownUser.yaml",
        "query": "let threshold = 15;\n// Below pulls messages from syslog-authpriv logs where there was an authentication failure with an unknown user.\n// IP address of system attempting logon is also extracted from the SyslogMessage field. Some of these messages\n// are aggregated.\nSyslog\n| where Facility =~ \"authpriv\"\n| where SyslogMessage has \"authentication failure\" and SyslogMessage has \" uid=0\"\n| extend RemoteIP = extract(@\".*?rhost=([\\d.]+).*?\", 1,SyslogMessage)\n| project TimeGenerated, Computer, ProcessName, HostIP, RemoteIP, ProcessID\n| join kind=innerunique (\n    // Below pulls messages from syslog-authpriv logs that show each instance an unknown user tried to logon. \n    Syslog \n    | where Facility =~ \"authpriv\"\n    | where SyslogMessage has \"user unknown\"\n    | project Computer, HostIP, ProcessID\n    ) on Computer, HostIP, ProcessID\n// Count the number of failed logon attempts by External IP and internal machine\n| summarize FirstLogonAttempt = min(TimeGenerated), LatestLogonAttempt = max(TimeGenerated), TotalLogonAttempts = count() by Computer, HostIP, RemoteIP\n// Calculate the time between first and last logon attempt (AttemptPeriodLength)\n| extend TimeBetweenLogonAttempts = LatestLogonAttempt - FirstLogonAttempt\n| where TotalLogonAttempts >= threshold\n| project FirstLogonAttempt, LatestLogonAttempt, TimeBetweenLogonAttempts, TotalLogonAttempts, SourceAddress = RemoteIP, Computer,  HostIP\n| sort by Computer asc nulls last\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}