StealthTalk - Password brute force

let LookbackPeriod    = 5h;
let MinFailedAttempts = 9;
StealthTalkAnomalousAuth_CL
| where TimeGenerated >= ago(LookbackPeriod)
| where EventType == "MultiFailLogin"
| where PassedAttempts >= MinFailedAttempts
| extend
    BlockingMinutes = LoginBlockingSeconds / 60,
    AlertName       = "PasswordBruteForce",
    AlertDetails    = strcat(
        "User ", UserId,
        " had ", PassedAttempts, " consecutive failed login attempts",
        " on device ", DeviceId, ".",
        " Account blocked for ", LoginBlockingSeconds, " seconds",
        " (", LoginBlockingSeconds / 60, " min)."
    )
| project
    TimeGenerated, UserId, DeviceId,
    PassedAttempts, LoginBlockingSeconds, BlockingMinutes,
    AppVersion, RawEventId, AlertName, AlertDetails

version: 1.0.0
severity: High
query: |
  let LookbackPeriod    = 5h;
  let MinFailedAttempts = 9;
  StealthTalkAnomalousAuth_CL
  | where TimeGenerated >= ago(LookbackPeriod)
  | where EventType == "MultiFailLogin"
  | where PassedAttempts >= MinFailedAttempts
  | extend
      BlockingMinutes = LoginBlockingSeconds / 60,
      AlertName       = "PasswordBruteForce",
      AlertDetails    = strcat(
          "User ", UserId,
          " had ", PassedAttempts, " consecutive failed login attempts",
          " on device ", DeviceId, ".",
          " Account blocked for ", LoginBlockingSeconds, " seconds",
          " (", LoginBlockingSeconds / 60, " min)."
      )
  | project
      TimeGenerated, UserId, DeviceId,
      PassedAttempts, LoginBlockingSeconds, BlockingMinutes,
      AppVersion, RawEventId, AlertName, AlertDetails  
queryPeriod: 5h
status: Available
alertDetailsOverride:
  alertDescriptionFormat: '{{AlertDetails}}'
  alertDisplayNameFormat: 'StealthTalk: Password Brute Force - {{UserId}} ({{PassedAttempts}} failed attempts)'
suppressionEnabled: false
customDetails:
  AppVersion: AppVersion
  PassedAttempts: PassedAttempts
  EventReference: RawEventId
  LoginBlockingSeconds: LoginBlockingSeconds
  BlockingMinutes: BlockingMinutes
tactics:
- CredentialAccess
- InitialAccess
triggerOperator: gt
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Analytic Rules/PasswordBruteForce.yaml
entityMappings:
- fieldMappings:
  - columnName: UserId
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: DeviceId
    identifier: HostName
  entityType: Host
suppressionDuration: 5h
name: StealthTalk - Password brute force
triggerThreshold: 0
description: |
    Identifies a brute-force authentication attempt against a single StealthTalk user account. The StealthTalk anti-brute-force subsystem emits a `MultiFailLogin` event when consecutive failed attempts trigger an automatic account lockout. This rule fires when the reported number of consecutive failures is 9 or more, distinguishing a credential-guessing attack from an isolated user error. The lockout duration (`LoginBlockingSeconds`) is surfaced as a custom detail so the SOC analyst can prioritise by attack persistence.
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    lookbackDuration: 5h
    matchingMethod: Selected
    groupByEntities:
    - Account
    reopenClosedIncident: false
id: b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b
kind: Scheduled
relevantTechniques:
- T1110
requiredDataConnectors:
- connectorId: StealthTalkAnomalousAuth
  dataTypes:
  - StealthTalkAnomalousAuth_CL