Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Mimecast Audit - Logon Authentication Failed

Back
Idf00197ab-491f-41e7-9e22-a7003a4c1e54
RulenameMimecast Audit - Logon Authentication Failed
DescriptionDetects threat when logon authentication failure found in audit
SeverityHigh
TacticsDiscovery
InitialAccess
CredentialAccess
TechniquesT1110
Required data connectorsMimecastAuditAPI
KindScheduled
Query frequency30m
Query period30m
Trigger threshold3
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
Version1.0.1
Arm templatef00197ab-491f-41e7-9e22-a7003a4c1e54.json
Deploy To Azure
MimecastAudit 
| where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
| extend   SourceIp = ['Source IP'] 
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml
alertRuleTemplateName: 
suppressionDuration: 5h
description: Detects threat when logon authentication failure found in audit
query: |
  MimecastAudit 
  | where ['Source IP'] !="" and ['Audit Type'] == "Logon Authentication Failed"
  | extend   SourceIp = ['Source IP']   
eventGroupingSettings:
  aggregationKind: SingleAlert
customDetails: 
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIp
    identifier: Address
- entityType: Mailbox
  fieldMappings:
  - columnName: User
    identifier: MailboxPrimaryAddress
- entityType: CloudApplication
  fieldMappings:
  - columnName: Application
    identifier: AppId
suppressionEnabled: false
displayName: Mimecast Audit - Logon Authentication Failed
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: P7D
    enabled: true
  createIncident: true
version: 1.0.1
name: Mimecast Audit - Logon Authentication Failed
tactics:
- Discovery
- InitialAccess
- CredentialAccess
queryPeriod: 30m
requiredDataConnectors:
- dataTypes:
  - MimecastAudit
  connectorId: MimecastAuditAPI
triggerOperator: gt
triggerThreshold: 3
enabled: true
queryFrequency: 30m
alertDetailsOverride: 
relevantTechniques:
- T1110
severity: High
id: f00197ab-491f-41e7-9e22-a7003a4c1e54
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f00197ab-491f-41e7-9e22-a7003a4c1e54')]",
      "properties": {
        "alertDetailsOverride": null,
        "alertRuleTemplateName": "f00197ab-491f-41e7-9e22-a7003a4c1e54",
        "customDetails": null,
        "description": "Detects threat when logon authentication failure found in audit",
        "displayName": "Mimecast Audit - Logon Authentication Failed",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Mailbox",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "MailboxPrimaryAddress"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "Application",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "P7D",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Mimecast/Analytic Rules/MimecastAudit/Mimecast_Audit.yaml",
        "query": "MimecastAudit \n| where ['Source IP'] !=\"\" and ['Audit Type'] == \"Logon Authentication Failed\"\n| extend   SourceIp = ['Source IP'] \n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Discovery",
          "InitialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 3
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}