Mimecast Audit - Logon Authentication Failed

Back


Id	f00197ab-491f-41e7-9e22-a7003a4c1e54
Rulename	Mimecast Audit - Logon Authentication Failed
Description	Detects threat when logon authentication failure found in audit
Severity	High
Tactics	Discovery InitialAccess CredentialAccess
Techniques	T1110
Required data connectors	MimecastAuditAPI
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	3
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
Version	1.0.1
Arm template	f00197ab-491f-41e7-9e22-a7003a4c1e54.json

KQL

MimecastAudit 
| where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
| extend   SourceIp = ['Source IP']

YAML

relevantTechniques:
- T1110
requiredDataConnectors:
- dataTypes:
  - MimecastAudit
  connectorId: MimecastAuditAPI
triggerThreshold: 3
version: 1.0.1
queryFrequency: 30m
queryPeriod: 30m
enabled: true
eventGroupingSettings:
  aggregationKind: SingleAlert
id: f00197ab-491f-41e7-9e22-a7003a4c1e54
suppressionEnabled: false
customDetails: 
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: P7D
    reopenClosedIncident: false
  createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
displayName: Mimecast Audit - Logon Authentication Failed
query: |
  MimecastAudit 
  | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
  | extend   SourceIp = ['Source IP']   
alertDetailsOverride: 
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIp
  entityType: IP
- fieldMappings:
  - identifier: MailboxPrimaryAddress
    columnName: User
  entityType: Mailbox
- fieldMappings:
  - identifier: AppId
    columnName: Application
  entityType: CloudApplication
tactics:
- Discovery
- InitialAccess
- CredentialAccess
alertRuleTemplateName: 
severity: High
name: Mimecast Audit - Logon Authentication Failed
triggerOperator: gt
kind: Scheduled
description: Detects threat when logon authentication failure found in audit

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "f00197ab-491f-41e7-9e22-a7003a4c1e54",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "Application",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml",
        "query": "MimecastAudit \n| where ['Source IP'] !=\"\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| extend   SourceIp = ['Source IP'] \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}