Query Details

Rule Documentation: Brute Force Logon Attempt from Single Source IP Across Multiple Devices

Burte Force Single I Pmultipledestinationswithin10minutes

Query

DeviceLogonEvents
| where ActionType == "LogonFailed" and isnotempty(RemoteIP)
| where RemoteIP != @"127.0.0.1"
| summarize 
    FailedLogonCount = count(),
    DistinctTargetDevices = dcount(DeviceName),
    TargetDevices = make_set(DeviceName, 10),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp)
  by RemoteIP, bin(Timestamp, 10m)
| where FailedLogonCount >= 10 and DistinctTargetDevices >= 10
| project 
    FirstSeen,
    LastSeen,
    RemoteIP,
    FailedLogonCount,
    DistinctTargetDevices,
    TargetDevices
| order by FailedLogonCount desc

About this query

Explanation

This query is designed to detect potential brute force login attempts from a single external IP address. Here's a simplified breakdown of how it works:

  1. Source Data: The query looks at a table called DeviceLogonEvents, which records login activities on Windows devices.

  2. Filtering Criteria:

    • It focuses on events where the login attempt failed (ActionType is "LogonFailed").
    • It excludes any attempts from the local machine (ignores IP 127.0.0.1).
    • It only considers attempts where the RemoteIP (the IP address trying to log in) is specified.
  3. Time Frame: The query examines login attempts within a 10-minute window.

  4. Detection Conditions:

    • It identifies cases where there are 10 or more failed login attempts.
    • These attempts must come from the same RemoteIP.
    • The failed attempts must target 10 or more different devices.
  5. Output:

    • The query lists the first and last time the failed attempts were seen.
    • It shows the RemoteIP responsible for the attempts.
    • It counts the total number of failed attempts and the number of distinct devices targeted.
    • It also provides a list of up to 10 devices that were targeted.
  6. Purpose: This query helps identify suspicious behavior that might indicate an attacker is trying to guess passwords to gain unauthorized access to multiple devices, which is a common tactic in brute force attacks.

  7. Tags: The query is associated with tags like Brute Force, Credential Access, and Suspicious Authentication Behavior, indicating its focus on detecting unauthorized access attempts.

Details

Ali Hussein profile picture

Ali Hussein

Released: April 16, 2025

Tables

DeviceLogonEvents

Keywords

DeviceLogonEventsRemoteIPDeviceNameTimestamp

Operators

|where==andisnotempty!=@summarizecountdcountmake_setminmaxbybin10mprojectorder bydesc

MITRE Techniques

Actions

GitHub