⚠️ StealthTalk
⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
| Attribute | Value |
|---|---|
| Publisher | StealthTalk Support |
| Support Tier | Partner |
| Support Link | https://stealthtalk.com/support |
| Categories | Security - Threat Protection,Identity,Security - Insider Threat |
| Version | 3.0.0 |
| Author | StealthTalk - support@stealthtalk.com |
| First Published | 2026-05-01 |
| Solution Folder | StealthTalk |
The StealthTalk Anomalous Authentication solution ingests StealthTalk Enterprise sign-in anomaly data into Microsoft Sentinel so SOC teams can investigate anomalous authentication activity alongside Microsoft security telemetry. The solution includes a Logs Ingestion API data connector, scheduled analytic rules, hunting queries, ASIM authentication parsers, a workbook, and a Microsoft Teams playbook. It depends on Microsoft Sentinel, Azure Monitor Logs Ingestion, custom tables, Logic Apps, and ASIM.
Contents
Data Connectors
This solution provides 1 data connector(s):
Tables Used
This solution uses 1 table(s):
| Table | Used By Connectors | Used By Content |
|---|---|---|
StealthTalkAnomalousAuth_CL |
StealthTalk Anomalous Authentication | Analytics, Hunting, Workbooks |
Content Items
This solution includes 9 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 4 |
| Hunting Queries | 3 |
| Workbooks | 1 |
| Playbooks | 1 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| StealthTalk - After hours work | Low | InitialAccess, DefenseEvasion, Persistence | StealthTalkAnomalousAuth_CL |
| StealthTalk - Login outside work zone | High | InitialAccess, DefenseEvasion, CredentialAccess | StealthTalkAnomalousAuth_CL |
| StealthTalk - Multi new devices registration | Medium | Persistence, InitialAccess, DefenseEvasion | StealthTalkAnomalousAuth_CL |
| StealthTalk - Password brute force | High | CredentialAccess, InitialAccess | StealthTalkAnomalousAuth_CL |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| StealthTalk - Account takeover sequence | InitialAccess, Persistence, CredentialAccess, DefenseEvasion | StealthTalkAnomalousAuth_CL |
| StealthTalk - Brute force followed by suspicious access | CredentialAccess, InitialAccess | StealthTalkAnomalousAuth_CL |
| StealthTalk - Impossible travel | InitialAccess, CredentialAccess | StealthTalkAnomalousAuth_CL |
Workbooks
| Name | Tables Used |
|---|---|
| StealthTalkAnomalousAuthMonitor | StealthTalkAnomalousAuth_CL |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| StealthTalk - Alert to Microsoft Teams | When a Microsoft Sentinel incident is created, post a formatted Adaptive Card with the incident summ... | - |
Additional Documentation
📄 Source: StealthTalk/README.md
The StealthTalk Anomalous Authentication solution surfaces suspicious user-authentication events from the StealthTalk private business messenger inside Microsoft Sentinel, providing a normalised ASIM-compliant view, four scheduled detections, three hunting queries, an interactive workbook, and a Teams-notification playbook. It is intended for organisations running StealthTalk Enterprise on Microsoft Azure and wanting their SOC to operate StealthTalk anomalies through standard Microsoft Sentinel workflows.
What's inside
| Artefact | Count | Notes |
|---|---|---|
| Data Connector (Logs Ingestion API) | 1 | Custom log table + DCE + DCR. Stream Custom-StealthTalkAnomalousAuth_CL. 21 fields covering 4 anomaly classes. |
| Scheduled Analytic Rules | 4 | After-Hours Work (Low), Multi New Devices Registration (Medium), Login Outside Work Zone (High), Password Brute Force (High). MITRE-mapped. |
| Hunting Queries | 3 | Impossible Travel, Account Takeover Sequence, Brute Force followed by Suspicious Access. |
| ASIM Parsers (Authentication 0.1.3) | 3 | vimAuthenticationStealthTalk (filtering), ASimAuthenticationStealthTalk (non-filtering), and an imAuthentication union extension that registers the StealthTalk source. |
| Workbook | 1 | 17 panels across Overview, Off-Hours, New Devices, Geo Anomaly, Brute Force. Includes a User Risk Leaderboard, Multi-Vector Correlation, and a World Map. |
| Playbook | 1 | Logic App that posts incident details into a Microsoft Teams channel via webhook. |
Prerequisites
- A Microsoft Sentinel-enabled Log Analytics workspace.
- A deployed StealthTalk Enterprise instance configured to send anomalous-auth events to the Log Analytics workspace via the Logs Ingestion API. StealthTalk authenticates to Azure with a service principal granted the Monitoring Metrics Publisher role on the deployed Data Collection Rule.
- Workspace ASIM Authentication parsers (Microsoft's
FullDeploymentAuthentication.json) deployed in the workspace before this Solution is installed. The Solution'simAuthenticationextension parser overrides the union so that StealthTalk events are returned byimAuthentication()alongside Microsoft-built-in sources. - For the Teams playbook: a Microsoft Teams channel with an incoming-webhook workflow already created. The webhook URL is configured as a deployment parameter.
Installation
This solution is published as a partner Microsoft Sentinel Solution to the Microsoft Sentinel Content Hub. To install:
- Open Microsoft Defender -> Microsoft Sentinel -> your workspace -> Content management -> Content hub.
- Search for StealthTalk Anomalous Authentication and click Install.
- After install, configure each artefact under Content management -> Content hub -> StealthTalk -> Manage:
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.0 | 13-05-2026 | Initial public release with the StealthTalk data connector, 4 analytic rules, 3 hunting queries, ASIM Authentication parsers, workbook, and Teams playbook. |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊