Mimecast Audit - Logon Authentication Failed

Back


Id	f00197ab-491f-41e7-9e22-a7003a4c1e54
Rulename	Mimecast Audit - Logon Authentication Failed
Description	Detects threat when logon authentication failure found in audit
Severity	High
Tactics	Discovery InitialAccess CredentialAccess
Techniques	T1110
Required data connectors	MimecastAuditAPI
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	3
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
Version	1.0.1
Arm template	f00197ab-491f-41e7-9e22-a7003a4c1e54.json

KQL

MimecastAudit 
| where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
| extend   SourceIp = ['Source IP']

YAML

requiredDataConnectors:
- connectorId: MimecastAuditAPI
  dataTypes:
  - MimecastAudit
query: |
  MimecastAudit 
  | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
  | extend   SourceIp = ['Source IP']   
displayName: Mimecast Audit - Logon Authentication Failed
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
triggerOperator: gt
queryPeriod: 30m
triggerThreshold: 3
kind: Scheduled
enabled: true
suppressionDuration: 5h
relevantTechniques:
- T1110
name: Mimecast Audit - Logon Authentication Failed
description: Detects threat when logon authentication failure found in audit
severity: High
tactics:
- Discovery
- InitialAccess
- CredentialAccess
customDetails: 
suppressionEnabled: false
version: 1.0.1
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: User
    identifier: MailboxPrimaryAddress
- entityType: CloudApplication
  fieldMappings:
  - columnName: Application
    identifier: AppId
queryFrequency: 30m
eventGroupingSettings:
  aggregationKind: SingleAlert
alertRuleTemplateName: 
alertDetailsOverride: 
id: f00197ab-491f-41e7-9e22-a7003a4c1e54
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
  createIncident: true

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "f00197ab-491f-41e7-9e22-a7003a4c1e54",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "Application",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml",
        "query": "MimecastAudit \n| where ['Source IP'] !=\"\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| extend   SourceIp = ['Source IP'] \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}