EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlTTP

Brute Force based on Microsoft Defender for Identity

Detects multiple failed authentication attempts against a user account as identified by Microsoft Defender for Identity. This behavior may indicate brute‑force or password‑guessing activity aimed at compromising credentials and gaining unauthorized access Detects multiple failed authentication attempts against a user account as identified by Microsoft Defender for Identity. This behavior may indicate brute‑force or password‑guessing activity aimed at compromising credentials and gaining unauthorized access

MITRE ATT&CK

T1110
credential-access

Detection Query

#Vendor = "microsoft"
| #event.module = "defender-identity"
| Vendor.category = "AdvancedHunting-IdentityLogonEvents"
| Vendor.properties.LogonType = "Failed logon"
| groupBy([user.name, source.address], function=[count(as=failed_logons),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
| failed_logons >=5 //Adjust the value 
| time_diff_min := (end_time - start_time) / 60000
| time_diff_min <= 10 //Adjust the value 
| start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
| end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
| drop([start_time, end_time])
| sort([failed_logons], order=desc)

Author

Kundan Kumar

Data Sources

Identity

Tags

Detectioncs_module:Identity
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: Brute Force based on Microsoft Defender for Identity

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1110

# Description of what the query does and its purpose.
description: |
  Detects multiple failed authentication attempts against a user account as identified by Microsoft Defender for Identity. This behavior may indicate brute‑force or password‑guessing activity aimed at compromising credentials and gaining unauthorized access

# The author or team that created the query.
author: Kundan Kumar

# The required log sources to run this query successfully in Next-Gen SIEM.
log_sources:
  - Identity

# The CrowdStrike modules required to run this query.
cs_required_modules:
  - Identity

# Tags for filtering and categorization.
tags:
  - Detection

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  #Vendor = "microsoft"
  | #event.module = "defender-identity"
  | Vendor.category = "AdvancedHunting-IdentityLogonEvents"
  | Vendor.properties.LogonType = "Failed logon"
  | groupBy([user.name, source.address], function=[count(as=failed_logons),count(field=Vendor.properties.DestinationDeviceName, distinct=true, as=unique_destinations),collect(fields=Vendor.properties.DestinationDeviceName),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
  | failed_logons >=5 //Adjust the value 
  | time_diff_min := (end_time - start_time) / 60000
  | time_diff_min <= 10 //Adjust the value 
  | start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone="UTC")
  | end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone="UTC")
  | drop([start_time, end_time])
  | sort([failed_logons], order=desc)

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Detects multiple failed authentication attempts against a user account as identified by Microsoft Defender for Identity. This behavior may indicate brute‑force or password‑guessing activity aimed at compromising credentials and gaining unauthorized access