Sample rules
Azure Entra ID Password Spraying (Non-Interactive SFA)
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.
Detection logic
from logs-azure.signinlogs*
| keep
@timestamp,
event.dataset,
event.category,
azure.signinlogs.properties.is_interactive,
azure.signinlogs.properties.authentication_requirement,
azure.signinlogs.properties.resource_display_name,
azure.signinlogs.properties.status.error_code,
azure.signinlogs.properties.resource_service_principal_id,
azure.signinlogs.category,
event.outcome,
azure.signinlogs.properties.user_principal_name,
source.ip
// truncate the timestamp to a 10-minute window
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
| WHERE
event.dataset == "azure.signinlogs"
and event.category == "authentication"
and azure.signinlogs.properties.is_interactive == false
and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
and event.outcome != "success"
and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
// for tuning review azure.signinlogs.properties.status.error_code
// https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
// count the number of unique user login attempts
| stats
unique_user_login_count = count_distinct(azure.signinlogs.properties.resource_service_principal_id) by
target_time_window,
azure.signinlogs.properties.user_principal_name,
azure.signinlogs.properties.status.error_code
// filter for >= 20 failed SFA auth attempts with the same error codes
| where unique_user_login_count >= 20
Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.
Detection logic
from logs-azure.signinlogs*
// truncate the timestamp to a 30-minute window
| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)
| WHERE
event.dataset == "azure.signinlogs"
and event.category == "authentication"
and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
and event.outcome != "success"
and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken"))
// for tuning review azure.signinlogs.properties.status.error_code
// https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
// keep only relevant fields
| keep target_time_window, event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip
// count the number of login sources and failed login attempts
| stats
login_source_count = count(source.ip),
failed_login_count = count(*) by target_time_window, azure.signinlogs.properties.user_principal_name
// filter for users with more than 20 login sources or failed login attempts
| where (login_source_count >= 20 or failed_login_count >= 20)
Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.
Detection logic
from logs-azure.signinlogs*
| WHERE
event.dataset == "azure.signinlogs"
and event.category == "authentication"
and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
and event.outcome != "success"
// For tuning, review azure.signinlogs.properties.status.error_code
// https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
// keep only relevant fields
| keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip
// Count the number of unique targets per source IP
| stats
target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip
// Filter for at least 10 distinct failed login attempts from a single source
| where target_count >= 10
AWS Management Console Brute Force of Root User Identity
- source: elastic
- technicques:
- T1110
Description
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
Detection logic
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
Okta Brute Force or Password Spraying Attack
- source: elastic
- technicques:
- T1110
Description
Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:okta.system and event.category:authentication and event.outcome:failure
O365 Excessive Single Sign-On Logon Errors
- source: elastic
- technicques:
- T1110
Description
Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.
Detection logic
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
Attempts to Brute Force a Microsoft 365 User Account
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed login attempts or login sources within a 30-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services.
Detection logic
from logs-o365.audit-*
// truncate the timestamp to a 30-minute window
| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)
| mv_expand event.category
| where event.dataset == "o365.audit"
and event.category == "authentication"
// filter only on Entra ID or Exchange audit logs in O365 integration
and event.provider in ("AzureActiveDirectory", "Exchange")
// filter only for UserLoginFailed or partial failures
and event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")
// ignore specific logon errors
and not o365.audit.LogonError in (
"EntitlementGrantsNotFound",
"UserStrongAuthEnrollmentRequired",
"UserStrongAuthClientAuthNRequired",
"InvalidReplyTo",
"SsoArtifactExpiredDueToConditionalAccess",
"PasswordResetRegistrationRequiredInterrupt",
"SsoUserAccountNotFoundInResourceTenant",
"UserStrongAuthExpired",
"CmsiInterrupt"
)
// ignore unavailable
and o365.audit.UserId != "Not Available"
// filters out non user or application logins based on target
and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")
// filters only for logins from user or application, ignoring oauth:token
and to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)"
// keep only relevant fields
| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window
// count the number of login sources and failed login attempts
| stats
login_source_count = count(source.ip),
failed_login_count = count(*) by target_time_window, o365.audit.UserId
// filter for users with more than 20 login sources or failed login attempts
| where (login_source_count >= 20 or failed_login_count >= 20)
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
- source: elastic
- technicques:
- T1110
Description
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")