detection.wiki

Detection rules › Kusto

SlackAudit - Multiple failed logins for user

Status
available
Severity
medium
Time window
5m
Group by
SrcUserName, bucket
Source
github.com/Azure/Azure-Sentinel

'Identifies multiple failed Slack logins for a user account within a short time window, which may indicate password guessing or brute-force activity.'

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1110 Brute Force

Rule body kusto

id: 93a91c37-032c-4380-847c-957c001957ad
name: SlackAudit - Multiple failed logins for user
description: |
  'Identifies multiple failed Slack logins for a user account within a short time window, which may indicate password
  guessing or brute-force activity.'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: SlackAuditAPI
    dataTypes:
      - SlackAudit_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
tactics: 
  - CredentialAccess
relevantTechniques:
  - T1110
query: |
  let threshold = 10;
  SlackAudit
  | where DvcAction in~ ('user_login_failed')
  | summarize FailedLogins = count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
  | where FailedLogins > threshold
  | extend AccountCustomEntity = SrcUserName
  | project SrcUserName, bucket, FailedLogins, AccountCustomEntity
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
customDetails:
  FailedLogins: FailedLogins
  UserAccount: SrcUserName
  TimeBucket: bucket
version: 1.0.1
kind: Scheduled

Stages and Predicates

Parameters

let threshold = 10;

Stage 1: source

SlackAudit

Stage 2: where

| where DvcAction in~ ('user_login_failed')

Stage 3: summarize

| summarize FailedLogins = count() by SrcUserName, bucket = bin(TimeGenerated, 5m)
Threshold
gt 10

Stage 4: where

| where FailedLogins > threshold

Stage 5: extend

| extend AccountCustomEntity = SrcUserName

Stage 6: project

| project SrcUserName, bucket, FailedLogins, AccountCustomEntity

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
DvcActionin
  • user_login_failed
FailedLoginsgt
  • 10 transforms: cased

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
AccountCustomEntityproject
FailedLoginsproject
SrcUserNameproject
bucketproject