Chronicle SIEM Rule – Identify Successful Login After 4 Failed Attempts

This is a high-level representation of how a SIEM rule in Chronicle might look to detect a scenario where a user account experiences multiple failed logins (due to invalid credentials) followed by a successful login. The rule is tailored for authentication logs from sources like Okta, Duo, and Google Workspace.

Here’s a breakdown of what the rule does:

Meta Information:
Provides essential context about the rule, including its author, description, severity, the relevant MITRE ATT&CK tactics and techniques, the rule type, data sources, and priority.

Events:
Defines two sets of events: $fail and $success.
$fail: Represents a failed login event. The rule checks for a specific event type (USER_LOGIN) and certain conditions like the result being “INVALID_CREDENTIALS” and the action being “BLOCK”. The timestamps of the failed events are also set to be before or at the same time as the successful login event.
$success: Represents a successful login event. It checks for the same event type but requires that the action is “ALLOW”.

Match:
Defines a time window (15 minutes) in which these events are being matched against each other for the same user and host.

Condition:
This is the main logic of the rule. It checks if there are more than 2 failed login attempts followed by a successful login attempt.

This rule is a good starting point for detecting brute force attempts or suspicious login behavior. If implemented in a real-world scenario, it would trigger an alert when a user experiences multiple failed login attempts due to invalid credentials within 15 minutes, followed by a successful login. Adjusting the time window or the number of failed attempts can tailor the rule’s sensitivity to your specific environment’s needs.

Sample Yara-L Rule

rule demo_repeatedAuthFailure_thenSuccess {
meta:
author = "Google Chronicle"
description = "Rule to identify a successful login after 4 failed login attempts"
severity = "Medium"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "Brute Force: Password Guessing"
mitre_attack_url = "https://attack.mitre.org/techniques/T1110/001/"
mitre_attack_version = "T1110"
type = "Hunt"
data_source = "Okta, Duo, Workspace"
priority = "Medium"
events:
$fail.metadata.event_type = "USER_LOGIN"
$fail.target.user.userid = $targetUser
$fail.security_result.category_details = "INVALID_CREDENTIALS"
$fail.security_result.action = "BLOCK"
$fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds
$success.metadata.event_type = "USER_LOGIN"
$success.target.user.userid = $targetUser
$success.security_result.action = "ALLOW"
match:
$targetUser over 15m

condition:
#fail > 2 and $success
}

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top