Brute Force Authentication Failures with Multi-Platform Log Correlation

ID: DET0463

Domains: Enterprise

Analytics: AN1275, AN1276, AN1277, AN1278, AN1279

Version: 1.0

Created: 21 October 2025

Last Modified: 21 October 2025

Live Version

Analytics

High volume of failed logon attempts followed by a successful one from a suspicious user, host, or timeframe

Data Component	Name	Channel
User Account Authentication (DC0002)	WinEventLog:Security	EventCode=4625, 4624

Field	Description
TimeWindow	Adjustable window to correlate failed logons, e.g., 5-10 minutes
UserContext	Define scope of monitored users (e.g., service accounts, admins)
FailureThreshold	Count of failed logons before raising an alert (e.g., 10-15)

Multiple authentication failures for valid or invalid users followed by success from same IP/user

Data Component	Name	Channel
User Account Authentication (DC0002)	auditd:USER_LOGIN	USER_AUTH

Field	Description
TimeWindow	Period of brute force activity correlation (e.g., 5 mins)
IPWhitelist	Exclude known monitoring IPs or jump boxes
LoginSource	Filter SSH vs. local logins

Password spraying or brute force attempts across user pool within short time intervals

Data Component	Name	Channel
User Account Authentication (DC0002)	azure:signinlogs	Sign-in logs

Field	Description
UsernameSprayThreshold	Max number of accounts targeted from a single IP
GeoAnomaly	Mismatch between user location and request location

Multiple failed authentications in unified logs (e.g., loginwindow or sshd)

Data Component	Name	Channel
User Account Authentication (DC0002)	macos:unifiedlog	auth

Field	Description
TimeWindow	Scope of authentication failures (e.g., 10-15 mins)
TargetUser	Filter known service or decoy accounts

Excessive login attempts followed by success from SaaS apps like O365, Dropbox, etc.

Data Component	Name	Channel
User Account Authentication (DC0002)	m365:unified	Sign-in logs

Field	Description
AppName	Detect brute force attempts targeting specific apps
UserGroup	Limit alert scope to high-value user groups