StealthTalk - Password brute force
| Id | b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b |
| Rulename | StealthTalk - Password brute force |
| Description | Identifies a brute-force authentication attempt against a single StealthTalk user account. The StealthTalk anti-brute-force subsystem emits a `MultiFailLogin` event when consecutive failed attempts trigger an automatic account lockout. This rule fires when the reported number of consecutive failures is 9 or more, distinguishing a credential-guessing attack from an isolated user error. The lockout duration (`LoginBlockingSeconds`) is surfaced as a custom detail so the SOC analyst can prioritise by attack persistence. |
| Severity | High |
| Tactics | CredentialAccess InitialAccess |
| Techniques | T1110 |
| Required data connectors | StealthTalkAnomalousAuth |
| Kind | Scheduled |
| Query frequency | 15m |
| Query period | 5h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Analytic Rules/PasswordBruteForce.yaml |
| Version | 1.0.0 |
| Arm template | b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b.json |
let LookbackPeriod = 5h;
let MinFailedAttempts = 9;
StealthTalkAnomalousAuth_CL
| where TimeGenerated >= ago(LookbackPeriod)
| where EventType == "MultiFailLogin"
| where PassedAttempts >= MinFailedAttempts
| extend
BlockingMinutes = LoginBlockingSeconds / 60,
AlertName = "PasswordBruteForce",
AlertDetails = strcat(
"User ", UserId,
" had ", PassedAttempts, " consecutive failed login attempts",
" on device ", DeviceId, ".",
" Account blocked for ", LoginBlockingSeconds, " seconds",
" (", LoginBlockingSeconds / 60, " min)."
)
| project
TimeGenerated, UserId, DeviceId,
PassedAttempts, LoginBlockingSeconds, BlockingMinutes,
AppVersion, RawEventId, AlertName, AlertDetails
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserId
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceId
tactics:
- CredentialAccess
- InitialAccess
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- StealthTalkAnomalousAuth_CL
connectorId: StealthTalkAnomalousAuth
alertDetailsOverride:
alertDisplayNameFormat: 'StealthTalk: Password Brute Force - {{UserId}} ({{PassedAttempts}} failed attempts)'
alertDescriptionFormat: '{{AlertDetails}}'
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 5h
groupByEntities:
- Account
enabled: true
matchingMethod: Selected
createIncident: true
id: b8e5f3a2-9c4d-4d1f-8a7b-3c2d1e0f9a8b
severity: High
status: Available
customDetails:
PassedAttempts: PassedAttempts
EventReference: RawEventId
LoginBlockingSeconds: LoginBlockingSeconds
AppVersion: AppVersion
BlockingMinutes: BlockingMinutes
query: |
let LookbackPeriod = 5h;
let MinFailedAttempts = 9;
StealthTalkAnomalousAuth_CL
| where TimeGenerated >= ago(LookbackPeriod)
| where EventType == "MultiFailLogin"
| where PassedAttempts >= MinFailedAttempts
| extend
BlockingMinutes = LoginBlockingSeconds / 60,
AlertName = "PasswordBruteForce",
AlertDetails = strcat(
"User ", UserId,
" had ", PassedAttempts, " consecutive failed login attempts",
" on device ", DeviceId, ".",
" Account blocked for ", LoginBlockingSeconds, " seconds",
" (", LoginBlockingSeconds / 60, " min)."
)
| project
TimeGenerated, UserId, DeviceId,
PassedAttempts, LoginBlockingSeconds, BlockingMinutes,
AppVersion, RawEventId, AlertName, AlertDetails
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Analytic Rules/PasswordBruteForce.yaml
kind: Scheduled
queryPeriod: 5h
version: 1.0.0
name: StealthTalk - Password brute force
queryFrequency: 15m
triggerThreshold: 0
relevantTechniques:
- T1110
description: |
Identifies a brute-force authentication attempt against a single StealthTalk user account. The StealthTalk anti-brute-force subsystem emits a `MultiFailLogin` event when consecutive failed attempts trigger an automatic account lockout. This rule fires when the reported number of consecutive failures is 9 or more, distinguishing a credential-guessing attack from an isolated user error. The lockout duration (`LoginBlockingSeconds`) is surfaced as a custom detail so the SOC analyst can prioritise by attack persistence.
triggerOperator: gt