Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies the classic three-stage account-takeover pattern for the same StealthTalk user within 24 hours: off-hours login, new device registration, and geo-anomaly login. All three together is high-confidence evidence of credential compromise.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | StealthTalk |
| ID | d2e5f8a3-9c4b-4d7e-8f6a-3b2c4d5e6f7a |
| Tactics | InitialAccess, Persistence, CredentialAccess, DefenseEvasion |
| Techniques | T1078, T1098 |
| Required Connectors | StealthTalkAnomalousAuth |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
StealthTalkAnomalousAuth_CL |
? | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊