Chronicle SIEM Rule – Identify Successful Login After 4 Failed Attempts

This is a high-level representation of how a SIEM rule in Chronicle might look to detect a scenario where a user account experiences multiple failed logins (due to invalid credentials) followed by a successful login. The rule is tailored for authentication logs from sources like Okta, Duo, and Google Workspace.

Here’s a breakdown of what the rule does:

Meta Information:
Provides essential context about the rule, including its author, description, severity, the relevant MITRE ATT&CK tactics and techniques, the rule type, data sources, and priority.

Defines two sets of events: $fail and $success.
$fail: Represents a failed login event. The rule checks for a specific event type (USER_LOGIN) and certain conditions like the result being “INVALID_CREDENTIALS” and the action being “BLOCK”. The timestamps of the failed events are also set to be before or at the same time as the successful login event.
$success: Represents a successful login event. It checks for the same event type but requires that the action is “ALLOW”.

Defines a time window (15 minutes) in which these events are being matched against each other for the same user and host.

This is the main logic of the rule. It checks if there are more than 2 failed login attempts followed by a successful login attempt.

This rule is a good starting point for detecting brute force attempts or suspicious login behavior. If implemented in a real-world scenario, it would trigger an alert when a user experiences multiple failed login attempts due to invalid credentials within 15 minutes, followed by a successful login. Adjusting the time window or the number of failed attempts can tailor the rule’s sensitivity to your specific environment’s needs.

Sample Yara-L Rule

rule demo_repeatedAuthFailure_thenSuccess {
author = "Google Chronicle"
description = "Rule to identify a successful login after 4 failed login attempts"
severity = "Medium"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "Brute Force: Password Guessing"
mitre_attack_url = ""
mitre_attack_version = "T1110"
type = "Hunt"
data_source = "Okta, Duo, Workspace"
priority = "Medium"
$fail.metadata.event_type = "USER_LOGIN"
$ = $targetUser
$fail.security_result.category_details = "INVALID_CREDENTIALS"
$fail.security_result.action = "BLOCK"
$fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds
$success.metadata.event_type = "USER_LOGIN"
$ = $targetUser
$success.security_result.action = "ALLOW"
$targetUser over 15m

#fail > 2 and $success

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top