Query Details
Burte Force Single I Pmultipledestinationswithin10minutes
Query
# Rule Documentation: Brute Force Logon Attempt from Single Source IP Across Multiple Devices
## Description
This detection rule identifies a potential **brute force attack** originating from a single external IP address (`RemoteIP`) that has failed to log in across **multiple Windows devices** within a short period of time. This behavior is indicative of credential stuffing or brute force login attempts, where an attacker systematically tries different combinations of usernames and passwords to gain access.
The detection is triggered when **10 or more failed logon attempts** occur from the **same Remote IP address** across **10 or more distinct devices** within a **10-minute window**. This type of activity could represent early-stage reconnaissance or lateral movement attempts after an initial foothold.
This logic is based on the behavior described in Elastic’s prebuilt rule:
- [Elastic Rule: Multiple Logon Failures from the Same Source IP](https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip)
## Detection Logic
- **Source Table:** `DeviceLogonEvents`
- **Filters Applied:**
- `ActionType` is `"LogonFailed"`
- `RemoteIP` is **not empty** and **not equal to localhost (`127.0.0.1`)**
- **Aggregation Window:** 10 minutes
- **Conditions:**
- `FailedLogonCount >= 10`
- `DistinctTargetDevices >= 10`
## Tags
- Brute Force
- Credential Access
- Initial Access
- Logon Failures
- Suspicious Authentication Behavior
- T1110
## Search Query
```kql
DeviceLogonEvents
| where ActionType == "LogonFailed" and isnotempty(RemoteIP)
| where RemoteIP != @"127.0.0.1"
| summarize
FailedLogonCount = count(),
DistinctTargetDevices = dcount(DeviceName),
TargetDevices = make_set(DeviceName, 10),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by RemoteIP, bin(Timestamp, 10m)
| where FailedLogonCount >= 10 and DistinctTargetDevices >= 10
| project
FirstSeen,
LastSeen,
RemoteIP,
FailedLogonCount,
DistinctTargetDevices,
TargetDevices
| order by FailedLogonCount desc
Explanation
This query is designed to detect potential brute force login attempts from a single external IP address. Here's a simplified breakdown of how it works:
-
Source Data: The query looks at a table called
DeviceLogonEvents, which records login activities on Windows devices. -
Filtering Criteria:
- It focuses on events where the login attempt failed (
ActionTypeis "LogonFailed"). - It excludes any attempts from the local machine (ignores IP
127.0.0.1). - It only considers attempts where the
RemoteIP(the IP address trying to log in) is specified.
- It focuses on events where the login attempt failed (
-
Time Frame: The query examines login attempts within a 10-minute window.
-
Detection Conditions:
- It identifies cases where there are 10 or more failed login attempts.
- These attempts must come from the same
RemoteIP. - The failed attempts must target 10 or more different devices.
-
Output:
- The query lists the first and last time the failed attempts were seen.
- It shows the
RemoteIPresponsible for the attempts. - It counts the total number of failed attempts and the number of distinct devices targeted.
- It also provides a list of up to 10 devices that were targeted.
-
Purpose: This query helps identify suspicious behavior that might indicate an attacker is trying to guess passwords to gain unauthorized access to multiple devices, which is a common tactic in brute force attacks.
-
Tags: The query is associated with tags like Brute Force, Credential Access, and Suspicious Authentication Behavior, indicating its focus on detecting unauthorized access attempts.
Details
Ali Hussein
Released: April 16, 2025
Tables
Keywords
Operators