From e77292abfaceeaf89846ba481b8504953e7b1a54 Mon Sep 17 00:00:00 2001 From: andrewmathuj <101790053+andrewmathuj@users.noreply.github.com> Date: Thu, 2 Jul 2026 13:35:25 +0300 Subject: [PATCH 1/4] Add detection query for Bastion brute force attacks This query detects brute force attacks on Azure Bastion by monitoring failed login attempts from the same source IP. It includes parameters for tuning the detection sensitivity. --- .../Detection - Bastion Brute Force.json | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/Detection - Bastion Brute Force.json diff --git a/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/Detection - Bastion Brute Force.json b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/Detection - Bastion Brute Force.json new file mode 100644 index 00000000..7675d9da --- /dev/null +++ b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/Detection - Bastion Brute Force.json @@ -0,0 +1,37 @@ +// Detection - Azure Bastion Brute Force +// Detects brute force / credential-guessing against Azure Bastion by flagging a high +// number of FAILED session logins from the same source IP within a short window. +// Data source: MicrosoftAzureBastionAuditLogs (requires the "Bastion Audit Logs" +// diagnostic setting enabled and routed to Log Analytics). +// Tuning profiles (lookback / threshold): +// Aggressive: 5m / 5 | Balanced (recommended): 15m / 5 | Conservative: 1h / 10 +let lookback = 15m; +let threshold = 5; +let AllowlistedSourceIPs = dynamic([]); +MicrosoftAzureBastionAuditLogs +| where TimeGenerated > ago(lookback) +| where Message == "Login Failed" +| extend UserName = tostring(UserName), + UserEmail = tostring(UserEmail), + SourceIP = tostring(ClientIpAddress), + TargetVM = tostring(TargetVMIPAddress), + TargetResourceId = tostring(TargetResourceId), + Protocol = tostring(Protocol) +| where isnotempty(SourceIP) +| where SourceIP !in (AllowlistedSourceIPs) +| summarize FailedAttempts = count(), + DistinctTargetVMs = dcount(TargetVM), + DistinctAccounts = dcount(UserName), + FirstSeen = min(TimeGenerated), + LastSeen = max(TimeGenerated), + TargetedAccounts = make_set(UserName, 25), + InitiatingUsers = make_set(UserEmail, 25), + TargetVMs = make_set(TargetVM, 25), + TargetResourceIds = make_set(TargetResourceId, 25), + Protocols = make_set(Protocol, 5) + by SourceIP +| where FailedAttempts >= threshold +| extend AttackWindowMinutes = datetime_diff('minute', LastSeen, FirstSeen) +| extend LikelyPasswordSpray = DistinctAccounts >= 5 +| extend HighVolume = FailedAttempts >= threshold * 2 +| order by FailedAttempts desc From 9ec3c230bd6ba814587f55ebc716b57988b3a078 Mon Sep 17 00:00:00 2001 From: andrewmathuj <101790053+andrewmathuj@users.noreply.github.com> Date: Thu, 2 Jul 2026 13:40:15 +0300 Subject: [PATCH 2/4] Create README.md --- .../Detection - Bastion Brute Force/README.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md diff --git a/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md new file mode 100644 index 00000000..8b137891 --- /dev/null +++ b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md @@ -0,0 +1 @@ + From 9b34c418430f88e5cd2b564fd14d794361d6feb8 Mon Sep 17 00:00:00 2001 From: andrewmathuj <101790053+andrewmathuj@users.noreply.github.com> Date: Thu, 2 Jul 2026 13:42:06 +0300 Subject: [PATCH 3/4] Enhance README with brute force detection info Added details on detecting Bastion brute force attempts and contribution guidelines. --- .../Detection - Bastion Brute Force/README.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md index 8b137891..ae0dfd00 100644 --- a/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md +++ b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md @@ -1 +1,23 @@ +# Detection - Bastion Brute Force +This query uses Azure Bastion audit logs (`MicrosoftAzureBastionAuditLogs`) to detect potential brute force activity by identifying multiple failed session logins (`Message == "Login Failed"`) from the same source IP against Bastion-fronted VMs within a short window. It groups failures by source IP, surfaces the targeted accounts and VMs, and raises a result when the count meets the configured threshold (default: 5 failures in 15 minutes). Adjust the `lookback` and `threshold` parameters to tune sensitivity for your environment. + +## Contributing + +This project welcomes contributions and suggestions. Most contributions require you to agree to a + +Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us + +the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. + +When you submit a pull request, a CLA bot will automatically determine whether you need to provide + +a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions + +provided by the bot. You will only need to do this once across all repos using our CLA. + +This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). + +For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or + +contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. From ac8011a40416d0a6cbe4ce630fa5c8de3179e49b Mon Sep 17 00:00:00 2001 From: andrewmathuj <101790053+andrewmathuj@users.noreply.github.com> Date: Thu, 2 Jul 2026 13:44:04 +0300 Subject: [PATCH 4/4] Revise contributing guidelines and add code of conduct Updated the contributing guidelines and added a note about the Microsoft Open Source Code of Conduct. --- .../Detection - Bastion Brute Force/README.md | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md index ae0dfd00..89a50227 100644 --- a/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md +++ b/Azure Bastion/Alerts - Queries and Alerts/Detection - Bastion Brute Force/README.md @@ -3,21 +3,10 @@ This query uses Azure Bastion audit logs (`MicrosoftAzureBastionAuditLogs`) to detect potential brute force activity by identifying multiple failed session logins (`Message == "Login Failed"`) from the same source IP against Bastion-fronted VMs within a short window. It groups failures by source IP, surfaces the targeted accounts and VMs, and raises a result when the count meets the configured threshold (default: 5 failures in 15 minutes). Adjust the `lookback` and `threshold` parameters to tune sensitivity for your environment. ## Contributing - -This project welcomes contributions and suggestions. Most contributions require you to agree to a -Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us +This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. -the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com. - -When you submit a pull request, a CLA bot will automatically determine whether you need to provide +When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA. -a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions +This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments. -provided by the bot. You will only need to do this once across all repos using our CLA. - -This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). - -For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or - -contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.