Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies credential-stuffing or brute-force success: a MultiFailLogin event with 9+ failed attempts followed within 2 hours by a GeoAnomalyLogin or NewDeviceLogin for the same user - the closest proxy for "the brute-force eventually succeeded".
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | StealthTalk |
| ID | e3f6a9b4-ad5c-4e8f-9a7b-4c3d5e6f7a8b |
| Tactics | CredentialAccess, InitialAccess |
| Techniques | T1110, T1078 |
| Required Connectors | StealthTalkAnomalousAuth |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
StealthTalkAnomalousAuth_CL |
? | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊