StealthTalk: New Enterprise Authentication Monitoring Solution with MITRE-Mapped Detection Portfolio

What Changed

StealthTalk Enterprise onboarded as a new Microsoft Sentinel Solution (v3.0.0) with comprehensive authentication anomaly detection capabilities. The solution integrates StealthTalk private business messenger authentication events into Sentinel through the Logs Ingestion API.

Data Source

The connector ingests anomalous authentication events from StealthTalk Enterprise via Logs Ingestion API into custom table StealthTalkAnomalousAuth_CL. The solution auto-deploys Data Collection Endpoint, Data Collection Rule, and custom table through nested ARM templates.

Detection Surface Unlocked

Four scheduled analytic rules target common authentication attack patterns:

• After Hours Work (Low): ≥3 off-hours logins across ≥2 calendar days per user (48h lookback, hourly schedule)
• Multi New Devices Registration (Medium): ≥2 distinct new device registrations per user (24h lookback, 30min schedule)
• Login Outside Work Zone (High): Geographic anomalies where login country/city ≠ assigned location (1h lookback, 15min schedule)
• Password Brute Force (High): Multi-failure events with ≥9 password attempts (5h lookback, 15min schedule)

All rules use modern entityMappings format with Account/Host/IP entity extraction and full alert detail customisation.

ASIM Coverage

Three Authentication 0.1.3 parsers provide ASIM compliance:

• vimAuthenticationStealthTalk (filtering parser)
• ASimAuthenticationStealthTalk (non-filtering parser)
• imAuthentication union extension registering StealthTalk alongside Microsoft built-in sources

MITRE Mapping

• T1078 (Valid Accounts): Geographic and temporal anomaly detection
• T1110 (Brute Force): Password attack detection with attempt threshold monitoring
• T1098 (Account Manipulation): New device registration tracking

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/StealthTalkAnomalousAuth_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Solutions/StealthTalk/Analytic Rules/AfterHoursWork.yaml
Solutions/StealthTalk/Analytic Rules/LoginOutsideWorkZone.yaml
Solutions/StealthTalk/Analytic Rules/MultiNewDevicesRegistration.yaml
Solutions/StealthTalk/Analytic Rules/PasswordBruteForce.yaml
Solutions/StealthTalk/Data Connectors/ARM/StealthTalk_Ingestion.json
Solutions/StealthTalk/Data Connectors/StealthTalkConnector.json
Solutions/StealthTalk/Hunting Queries/AccountTakeoverSequence.yaml
Solutions/StealthTalk/Hunting Queries/BruteForceFollowedBySuspicious.yaml
Solutions/StealthTalk/Hunting Queries/ImpossibleTravel.yaml
Solutions/StealthTalk/Package/testParameters.json
Solutions/StealthTalk/Parsers/ASimDisabledParsers_watchlist.json
Solutions/StealthTalk/Parsers/imAuthentication_extension.json
Solutions/StealthTalk/Parsers/vimASimAuthenticationStealthTalk.json
Solutions/StealthTalk/Playbooks/StealthTalk-LogicApp-AlertToTeams/README.md
Solutions/StealthTalk/Playbooks/StealthTalk-LogicApp-AlertToTeams/azuredeploy.json
Solutions/StealthTalk/README.md
Solutions/StealthTalk/Workbooks/Images/Logo/st-ms-def-hub.svg
Solutions/StealthTalk/Workbooks/Images/Preview/StealthTalkDataConnector.png
Solutions/StealthTalk/Workbooks/Images/Preview/StealthTalkOverview.png
Solutions/StealthTalk/Workbooks/Images/Preview/StealthTalkSentinelIncident.png
Solutions/StealthTalk/Workbooks/Images/Preview/StealthTalkUserRiskLeaderboard.png
Solutions/StealthTalk/Workbooks/Images/Preview/StealthTalkWorldMap.png
Solutions/StealthTalk/Workbooks/StealthTalkAnomalousAuthMonitor.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_StealthTalk.json, createUiDefinition.json, mainTemplate.json)