Detection rules › Kusto Query Language
Brute force attack against user credentials (Uses Authentication Normalization)
'Identifies evidence of brute force activity against a user based on multiple authentication failures and at least one successful authentication within a given time window. Note that the query does not enforce any sequence, and does not require the successful authentication to occur last. The default failure threshold is 10, success threshold is 1, and the default time window is 20 minutes. To use this analytics rule, make sure you have deployed the ASIM normalization parsers'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1110 Brute Force |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 4625 | An account failed to log on. |
| Security-Auditing | 4634 | An account was logged off. |
Stages and Predicates
Stage 1: source
imAuthentication
Stage 2: where
TargetUserType ne "NonInteractive"
Stage 3: summarize
Stage 4: where
and
FailureCount ge "failureCountThreshold"
SuccessCount ge "successCountThreshold"
Stage 5: extend
Stage 6: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
FailureCount | ge |
|
SuccessCount | ge |
|
TargetUserType | ne |
|