IR-003identityv1.0.0

Brute Force Authentication Attack

⚠️ medium⚠️ high

⏱ Est. Time20m

📋 Steps9 steps

🔧 Tools4 required

🔗 Integrations4 platforms

📊 Avg Resolution35m

★ View on GitHub

🎯 MITRE ATT&CK

T1110.001 T1110.003 T1110.004 T1078 T1556.006

🔧 Tools Required

siemidentity providerthreat intelligence platformnetwork firewall

⚡ Triggers

siem_failed_login_thresholdidentity_provider_lockout_alertazure_ad_risky_sign_inokta_suspicious_activity_alert

🔌 Integrations

req

azure active directory

Azure AD Sign-in Logs, Risky Users, Identity Protection

opt

okta

Alternative IdP — System Log and ThreatInsight

req

splunk

Log aggregation and correlation across authentication sources

opt

palo alto prisma access

Geo-blocking and IP reputation enforcement at network edge

Click each step to expand the full procedure, automation hints, and expected outputs.

Classify the attack pattern: password spraying (few passwords, many accounts), credential stuffing (known breach credentials), brute force (many passwords, one account), or MFA fatigue attack. Identify the source: single IP, distributed IP range, TOR exit nodes, VPN infrastructure, or botnet. Note timing patterns (distributed vs. rate-limited).

⚡ Automation Hint

Splunk SPL: index=windows_security EventCode=4625 earliest=-1h | stats count by src_ip, user | eval attack_type=if(dc(user)>10,"password_spray","brute_force") | sort -count Azure AD KQL: SigninLogs | where TimeGenerated > ago(1h) | where ResultType != "0" | summarize FailureCount=count() by IPAddress, UserPrincipalName | where FailureCount > 10

📤 Outputs

attack_typesource_ipstargeted_accountsfailure_count