Failed AzureAD logons but success logon to host

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID. Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	8ee967a2-a645-4832-85f4-72b635bcb3a6
Severity	Medium
Kind	Scheduled
Tactics	InitialAccess, CredentialAccess
Techniques	T1078, T1110
Required Connectors	AzureActiveDirectory, AzureActiveDirectory, SecurityEvents, Syslog, WindowsSecurityEvents, WindowsForwardedEvents
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
SecurityEvent		✓	✓	?
Syslog	Facility contains "auth" ProcessName != "sudo" SyslogMessage has "Accepted"	✓	✓	?
WindowsEvent		✓	✓	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
CiscoMeraki(usingRESTAPI)	CiscoMeraki
CiscoMerakiNativePoller	CiscoMeraki
CiscoSDWAN	Cisco SD-WAN
ESI-Opt34DomainControllersSecurityEventLogs	Microsoft Exchange Security - Exchange On-Premises
Forescout	Forescout (Legacy)
SecurityEvents	Windows Security Events
WindowsForwardedEvents	Windows Forwarded Events
WindowsSecurityEvents	Windows Security Events

Solutions: Cisco SD-WAN, CiscoMeraki, Forescout (Legacy), Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules