Rule Documentation: Brute Force Logon Attempt from Single Source IP Across Multiple Devices
Burte Force Single I Pmultipledestinationswithin10minutes
Query
DeviceLogonEvents
| where ActionType == "LogonFailed" and isnotempty(RemoteIP)
| where RemoteIP != @"127.0.0.1"
| summarize
FailedLogonCount = count(),
DistinctTargetDevices = dcount(DeviceName),
TargetDevices = make_set(DeviceName, 10),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by RemoteIP, bin(Timestamp, 10m)
| where FailedLogonCount >= 10 and DistinctTargetDevices >= 10
| project
FirstSeen,
LastSeen,
RemoteIP,
FailedLogonCount,
DistinctTargetDevices,
TargetDevices
| order by FailedLogonCount descAbout this query
Explanation
This query is designed to detect potential brute force login attempts from a single external IP address. Here's a simplified breakdown of how it works:
-
Source Data: The query looks at a table called
DeviceLogonEvents, which records login activities on Windows devices. -
Filtering Criteria:
- It focuses on events where the login attempt failed (
ActionTypeis "LogonFailed"). - It excludes any attempts from the local machine (ignores IP
127.0.0.1). - It only considers attempts where the
RemoteIP(the IP address trying to log in) is specified.
- It focuses on events where the login attempt failed (
-
Time Frame: The query examines login attempts within a 10-minute window.
-
Detection Conditions:
- It identifies cases where there are 10 or more failed login attempts.
- These attempts must come from the same
RemoteIP. - The failed attempts must target 10 or more different devices.
-
Output:
- The query lists the first and last time the failed attempts were seen.
- It shows the
RemoteIPresponsible for the attempts. - It counts the total number of failed attempts and the number of distinct devices targeted.
- It also provides a list of up to 10 devices that were targeted.
-
Purpose: This query helps identify suspicious behavior that might indicate an attacker is trying to guess passwords to gain unauthorized access to multiple devices, which is a common tactic in brute force attacks.
-
Tags: The query is associated with tags like Brute Force, Credential Access, and Suspicious Authentication Behavior, indicating its focus on detecting unauthorized access attempts.
