OpenAI Brute Force Login Success

Severity: high
Time window: 30m
Match by: p_any_emails
Reference: https://platform.openai.com/docs/api-reference/audit-logs
Source: github.com/panther-labs/panther-analysis

Detects successful credential stuffing or brute force attacks against OpenAI accounts. This rule identifies when a user account experiences 5 or more failed login attempts followed by a successful login within 30 minutes. This pattern indicates: - Successful credential stuffing attack - Successful brute force attack - Compromised user credentials - Automated attack tools successfully gaining access The correlation is performed by matching on the user email address to track attempts against the same account across multiple failed attempts and the eventual success.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1110.001` Brute Force: Password Guessing, `T1110.003` Brute Force: Password Spraying, `T1110.004` Brute Force: Credential Stuffing

Rule body yaml

AnalysisType: correlation_rule
RuleID: "OpenAI.BruteForce.Login.Success"
DisplayName: "OpenAI Brute Force Login Success"
Enabled: true
Severity: High
Description: |
  Detects successful credential stuffing or brute force attacks against OpenAI accounts.
  This rule identifies when a user account experiences 5 or more failed login attempts
  followed by a successful login within 30 minutes. This pattern indicates:
  - Successful credential stuffing attack
  - Successful brute force attack
  - Compromised user credentials
  - Automated attack tools successfully gaining access
  The correlation is performed by matching on the user email address to track attempts
  against the same account across multiple failed attempts and the eventual success.
Reference: https://platform.openai.com/docs/api-reference/audit-logs
Runbook: |
  1. Verify if the successful login was legitimate by contacting the user via a trusted out-of-band channel to confirm they logged in. Review the failed login attempts including source IPs, geolocations, user agents, and timing patterns for anomalies.
  2. If the login is confirmed as unauthorized, immediately disable the compromised account, force password reset, revoke all active sessions and API keys, and review all actions taken by the account since the successful login.
  3. Investigate potential breach scope by checking if the same IP targeted multiple accounts, reviewing API key modifications, auditing role assignments and permission changes, and checking for data exfiltration or suspicious API usage.
Reports:
  MITRE ATT&CK:
    - TA0001:T1110  # Brute Force
    - TA0006:T1110.001  # Password Guessing
    - TA0006:T1110.003  # Password Spraying
    - TA0006:T1110.004  # Credential Stuffing
Detection:
  - Sequence:
      - ID: Multiple Failed Logins
        RuleID: OpenAI.Login.Failed
        MinMatchCount: 5
      - ID: Successful Login
        RuleID: OpenAI.Login.Success
    Transitions:
      - ID: Multiple Failed Logins FOLLOWED BY Successful Login
        From: Multiple Failed Logins
        To: Successful Login
        WithinTimeFrameMinutes: 30
        Match:
          - On: p_any_emails
    Schedule:
      RateMinutes: 1440
      TimeoutMinutes: 5
    LookbackWindowMinutes: 2160
Tests:
  - Name: "5 Failed Logins FOLLOWED BY Successful Login"
    ExpectedResult: true
    RuleOutputs:
      - ID: Multiple Failed Logins
        Matches:
          p_any_emails:
            "user@company.com": [0, 2, 4, 6, 8]
      - ID: Successful Login
        Matches:
          p_any_emails:
            "user@company.com": [10]
  - Name: "5 Failed Logins FOLLOWED BY Successful Login - Different User"
    ExpectedResult: false
    RuleOutputs:
      - ID: Multiple Failed Logins
        Matches:
          p_any_emails:
            "user@company.com": [0, 2, 4, 6, 8]
      - ID: Successful Login
        Matches:
          p_any_emails:
            "other@company.com": [10]
  - Name: "Only 3 Failed Logins FOLLOWED BY Success"
    ExpectedResult: false
    RuleOutputs:
      - ID: Multiple Failed Logins
        Matches:
          p_any_emails:
            "user@company.com": [0, 2, 4]
      - ID: Successful Login
        Matches:
          p_any_emails:
            "user@company.com": [6]
  - Name: "5 Failed Logins FOLLOWED BY Success After 35 Minutes"
    ExpectedResult: false
    RuleOutputs:
      - ID: Multiple Failed Logins
        Matches:
          p_any_emails:
            "user@company.com": [0, 2, 4, 6, 8]
      - ID: Successful Login
        Matches:
          p_any_emails:
            "user@company.com": [45]
  - Name: "Multiple Users - Only One Triggers"
    ExpectedResult: true
    RuleOutputs:
      - ID: Multiple Failed Logins
        Matches:
          p_any_emails:
            "user@company.com": [0, 2, 4, 6, 8]
            "other@company.com": [1, 3]
      - ID: Successful Login
        Matches:
          p_any_emails:
            "user@company.com": [10]
            "other@company.com": [11]

Detection logic

Stage 1: `step Multiple Failed Logins` ordered before `$Successful Login`

References detection OpenAI.Login.Failed (min 5 matches).

Stage 2: `step Successful Login` ordered after `$Multiple Failed Logins`

References detection OpenAI.Login.Success.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

OpenAI Brute Force Login Success

MITRE ATT&CK coverage

Rule body yaml

Detection logic

Stage 1: `step Multiple Failed Logins` ordered before `$Successful Login`

Stage 2: `step Successful Login` ordered after `$Multiple Failed Logins`

Keyboard shortcuts

Search operators

OpenAI Brute Force Login Success

MITRE ATT&CK coverage

Rule body yaml

Detection logic

Stage 1: step Multiple Failed Logins ordered before $Successful Login

Stage 2: step Successful Login ordered after $Multiple Failed Logins

Stage 1: `step Multiple Failed Logins` ordered before `$Successful Login`

Stage 2: `step Successful Login` ordered after `$Multiple Failed Logins`