Skip to content

Add Azure Bastion brute force detection query#548

Merged
shabaz-github merged 4 commits into
Azure:masterfrom
andrewmathuj:master
Jul 2, 2026
Merged

Add Azure Bastion brute force detection query#548
shabaz-github merged 4 commits into
Azure:masterfrom
andrewmathuj:master

Conversation

@andrewmathuj

Copy link
Copy Markdown
Collaborator

Summary

Adds a new KQL detection for Azure Bastion brute force / credential-guessing attacks under the Azure Bastion product folder. This is the first detection contributed for Azure Bastion (the product folder previously contained only Azure Policy content).

What it detects

Multiple failed Bastion session logins (Message == "Login Failed") originating from the same source IP against Bastion-fronted VMs within a short time window. Failures are grouped by source IP, and a result is raised when the count meets a configurable threshold. The query also surfaces the targeted OS accounts, initiating Entra identities, and target VMs, and adds heuristic flags (LikelyPasswordSpray, HighVolume) to aid triage.

Data source

  • Table: MicrosoftAzureBastionAuditLogs (resource-specific Bastion Audit Logs)
  • Requires the Bastion Audit Logs diagnostic setting enabled and routed to Log Analytics
  • Note: the Bastion Developer SKU does not emit audit logs (Basic/Standard/Premium do)

Tuning

Configurable via lookback and threshold parameters. Default (recommended): 5 failed logins in 15 minutes. An optional AllowlistedSourceIPs parameter suppresses trusted IPs.

Validation

Validated end-to-end against a live Azure Bastion (Premium) + private VM test environment, confirming the query fires correctly on real failed-login audit records.

Files added

  • Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/Detection - Bastion Brute Force.json
  • Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md

Structure

Follows the existing repo convention (mirrors Azure Firewall/Alerts - Queries and Alerts/Detection - ...).

This query detects brute force attacks on Azure Bastion by monitoring failed login attempts from the same source IP. It includes parameters for tuning the detection sensitivity.
Added details on detecting Bastion brute force attempts and contribution guidelines.
Updated the contributing guidelines and added a note about the Microsoft Open Source Code of Conduct.
@shabaz-github shabaz-github merged commit 1bcdf75 into Azure:master Jul 2, 2026
2 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants