Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Audit - Logon Authentication Failed

Back
Idf00197ab-491f-41e7-9e22-a7003a4c1e54
RulenameMimecast Audit - Logon Authentication Failed
DescriptionDetects threat when logon authentication failure found in audit
SeverityHigh
TacticsDiscovery
InitialAccess
CredentialAccess
TechniquesT1110
Required data connectorsMimecastAuditAPI
KindScheduled
Query frequency30m
Query period30m
Trigger threshold3
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
Version1.0.1
Arm templatef00197ab-491f-41e7-9e22-a7003a4c1e54.json
Deploy To Azure
MimecastAudit 
| where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
| extend   SourceIp = ['Source IP'] 
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
query: |
  MimecastAudit 
  | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
  | extend   SourceIp = ['Source IP']   
description: Detects threat when logon authentication failure found in audit
severity: High
alertRuleTemplateName: 
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: P7D
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
eventGroupingSettings:
  aggregationKind: SingleAlert
name: Mimecast Audit - Logon Authentication Failed
triggerThreshold: 3
version: 1.0.1
customDetails: 
displayName: Mimecast Audit - Logon Authentication Failed
requiredDataConnectors:
- dataTypes:
  - MimecastAudit
  connectorId: MimecastAuditAPI
alertDetailsOverride: 
relevantTechniques:
- T1110
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: User
    identifier: MailboxPrimaryAddress
- entityType: CloudApplication
  fieldMappings:
  - columnName: Application
    identifier: AppId
id: f00197ab-491f-41e7-9e22-a7003a4c1e54
kind: Scheduled
suppressionEnabled: false
queryFrequency: 30m
enabled: true
queryPeriod: 30m
suppressionDuration: 5h
tactics:
- Discovery
- InitialAccess
- CredentialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": null,
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "Application",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml",
        "query": "MimecastAudit \n| where ['Source IP'] !=\"\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| extend   SourceIp = ['Source IP'] \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}