Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Excessive Login Attempts Microsoft Defender for IoT

Back
Idf5217b4c-3f1f-4d89-b4f3-5d7581da1c1c
RulenameExcessive Login Attempts (Microsoft Defender for IoT)
DescriptionThis alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat attempting to manipulate the SCADA network.
SeverityHigh
TacticsImpairProcessControl
TechniquesT0806
Required data connectorsIoT
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTExcessiveLoginAttempts.yaml
Version1.0.3
Arm templatef5217b4c-3f1f-4d89-b4f3-5d7581da1c1c.json
Deploy To Azure
SecurityAlert
| where ProviderName == "IoTSecurity"
| where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions") 
| extend ExtendedProperties = parse_json(ExtendedProperties)
| where tostring(ExtendedProperties.isNew) == "True"
| extend DeviceId = tostring(ExtendedProperties.DeviceId), 
         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
         Protocol = tostring(ExtendedProperties.Protocol), 
         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
| project
  TimeGenerated,
  DeviceId,
  ProductName,
  ProductComponentName,
  AlertSeverity,
  AlertName,
  Description,
  Protocol,
  SourceDeviceAddress,
  DestDeviceAddress,
  RemediationSteps,
  Tactics,
  Entities,
  VendorOriginalId,
  AlertLink,
  AlertManagementUri,
  Techniques
customDetails:
  AlertManagementUri: AlertManagementUri
  Sensor: DeviceId
  VendorOriginalId: VendorOriginalId
  Protocol: Protocol
alertDetailsOverride:
  alertDescriptionFormat: (MDIoT) {{Description}}
  alertDisplayNameFormat: (MDIoT) {{AlertName}}
  alertDynamicProperties:
  - alertProperty: ProductName
    value: ProductName
  - alertProperty: RemediationSteps
    value: RemediationSteps
  - alertProperty: Techniques
    value: Techniques
  - alertProperty: ProductComponentName
    value: ProductComponentName
  - alertProperty: AlertLink
    value: AlertLink
  alertSeverityColumnName: AlertSeverity
  alertTacticsColumnName: Tactics
version: 1.0.3
relevantTechniques:
- T0806
description: |
    'This alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat attempting to manipulate the SCADA network.'
requiredDataConnectors:
- connectorId: IoT
  dataTypes:
  - SecurityAlert (ASC for IoT)
entityMappings: 
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: f5217b4c-3f1f-4d89-b4f3-5d7581da1c1c
tactics:
- ImpairProcessControl
queryPeriod: 5m
sentinelEntitiesMappings:
- columnName: Entities
query: |
  SecurityAlert
  | where ProviderName == "IoTSecurity"
  | where AlertName in ("Excessive Login Attempts","Excessive SMB login attempts","Password Guessing Attempt Detected","Excessive Number of Sessions") 
  | extend ExtendedProperties = parse_json(ExtendedProperties)
  | where tostring(ExtendedProperties.isNew) == "True"
  | extend DeviceId = tostring(ExtendedProperties.DeviceId), 
           SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), 
           DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), 
           RemediationSteps = tostring(parse_json(RemediationSteps)[0]), 
           Protocol = tostring(ExtendedProperties.Protocol), 
           AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)
  | project
    TimeGenerated,
    DeviceId,
    ProductName,
    ProductComponentName,
    AlertSeverity,
    AlertName,
    Description,
    Protocol,
    SourceDeviceAddress,
    DestDeviceAddress,
    RemediationSteps,
    Tactics,
    Entities,
    VendorOriginalId,
    AlertLink,
    AlertManagementUri,
    Techniques  
severity: High
name: Excessive Login Attempts (Microsoft Defender for IoT)
kind: Scheduled
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTExcessiveLoginAttempts.yaml
triggerOperator: gt
status: Available
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f5217b4c-3f1f-4d89-b4f3-5d7581da1c1c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f5217b4c-3f1f-4d89-b4f3-5d7581da1c1c')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "(MDIoT) {{Description}}",
          "alertDisplayNameFormat": "(MDIoT) {{AlertName}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductName",
              "value": "ProductName"
            },
            {
              "alertProperty": "RemediationSteps",
              "value": "RemediationSteps"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            },
            {
              "alertProperty": "ProductComponentName",
              "value": "ProductComponentName"
            },
            {
              "alertProperty": "AlertLink",
              "value": "AlertLink"
            }
          ],
          "alertSeverityColumnName": "AlertSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "f5217b4c-3f1f-4d89-b4f3-5d7581da1c1c",
        "customDetails": {
          "AlertManagementUri": "AlertManagementUri",
          "Protocol": "Protocol",
          "Sensor": "DeviceId",
          "VendorOriginalId": "VendorOriginalId"
        },
        "description": "'This alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat attempting to manipulate the SCADA network.'\n",
        "displayName": "Excessive Login Attempts (Microsoft Defender for IoT)",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/IoTOTThreatMonitoringwithDefenderforIoT/Analytic Rules/IoTExcessiveLoginAttempts.yaml",
        "query": "SecurityAlert\n| where ProviderName == \"IoTSecurity\"\n| where AlertName in (\"Excessive Login Attempts\",\"Excessive SMB login attempts\",\"Password Guessing Attempt Detected\",\"Excessive Number of Sessions\") \n| extend ExtendedProperties = parse_json(ExtendedProperties)\n| where tostring(ExtendedProperties.isNew) == \"True\"\n| extend DeviceId = tostring(ExtendedProperties.DeviceId), \n         SourceDeviceAddress = tostring(ExtendedProperties.SourceDeviceAddress), \n         DestDeviceAddress = tostring(ExtendedProperties.DestinationDeviceAddress), \n         RemediationSteps = tostring(parse_json(RemediationSteps)[0]), \n         Protocol = tostring(ExtendedProperties.Protocol), \n         AlertManagementUri = tostring(ExtendedProperties.AlertManagementUri)\n| project\n  TimeGenerated,\n  DeviceId,\n  ProductName,\n  ProductComponentName,\n  AlertSeverity,\n  AlertName,\n  Description,\n  Protocol,\n  SourceDeviceAddress,\n  DestDeviceAddress,\n  RemediationSteps,\n  Tactics,\n  Entities,\n  VendorOriginalId,\n  AlertLink,\n  AlertManagementUri,\n  Techniques\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "sentinelEntitiesMappings": [
          {
            "columnName": "Entities"
          }
        ],
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "ImpairProcessControl"
        ],
        "techniques": null,
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}