Mimecast Audit - Logon Authentication Failed

Back


Id	f00197ab-491f-41e7-9e22-a7003a4c1e54
Rulename	Mimecast Audit - Logon Authentication Failed
Description	Detects threat when logon authentication failure found in audit
Severity	High
Tactics	Discovery InitialAccess CredentialAccess
Techniques	T1110
Required data connectors	MimecastAuditAPI
Kind	Scheduled
Query frequency	30m
Query period	30m
Trigger threshold	3
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
Version	1.0.1
Arm template	f00197ab-491f-41e7-9e22-a7003a4c1e54.json

KQL

MimecastAudit 
| where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
| extend   SourceIp = ['Source IP']

YAML

kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
alertRuleTemplateName: 
suppressionDuration: 5h
description: Detects threat when logon authentication failure found in audit
query: |
  MimecastAudit 
  | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
  | extend   SourceIp = ['Source IP']   
eventGroupingSettings:
  aggregationKind: SingleAlert
customDetails: 
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: User
    identifier: MailboxPrimaryAddress
- entityType: CloudApplication
  fieldMappings:
  - columnName: Application
    identifier: AppId
suppressionEnabled: false
displayName: Mimecast Audit - Logon Authentication Failed
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
  createIncident: true
version: 1.0.1
name: Mimecast Audit - Logon Authentication Failed
tactics:
- Discovery
- InitialAccess
- CredentialAccess
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
  - MimecastAudit
  connectorId: MimecastAuditAPI
triggerOperator: gt
triggerThreshold: 3
enabled: true
queryFrequency: 30m
alertDetailsOverride: 
relevantTechniques:
- T1110
severity: High
id: f00197ab-491f-41e7-9e22-a7003a4c1e54

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "f00197ab-491f-41e7-9e22-a7003a4c1e54",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "Application",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml",
        "query": "MimecastAudit \n| where ['Source IP'] !=\"\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| extend   SourceIp = ['Source IP'] \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}