LoFP LoFP / automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.

Sample rules

AWS Management Console Brute Force of Root User Identity

Description

Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.

Detection logic

event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure

Okta Brute Force or Password Spraying Attack

Description

Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.

Detection logic

event.dataset:okta.system and event.category:authentication and event.outcome:failure

Potential Microsoft 365 User Account Brute Force

Description

Identifies brute-force authentication activity targeting Microsoft 365 user accounts using failed sign-in patterns that match password spraying, credential stuffing, or password guessing behavior. Adversaries may attempt brute-force authentication with credentials obtained from previous breaches, leaks, marketplaces or guessable passwords.

Detection logic

FROM logs-o365.audit-*

| MV_EXPAND event.category
| EVAL
    time_window = DATE_TRUNC(5 minutes, @timestamp),
    user_id = TO_LOWER(o365.audit.UserId),
    ip = source.ip,
    login_error = o365.audit.LogonError,
    request_type = TO_LOWER(o365.audit.ExtendedProperties.RequestType),
    asn_org = source.`as`.organization.name,
    country = source.geo.country_name,
    event_time = @timestamp

| WHERE event.dataset == "o365.audit"
  AND event.category == "authentication"
  AND event.provider IN ("AzureActiveDirectory", "Exchange")
  AND event.action IN ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")
  AND request_type RLIKE "(oauth.*||.*login.*)"
  AND login_error != "IdsLocked"
  AND login_error NOT IN (
    "EntitlementGrantsNotFound", "UserStrongAuthEnrollmentRequired", "UserStrongAuthClientAuthNRequired",
    "InvalidReplyTo", "SsoArtifactExpiredDueToConditionalAccess", "PasswordResetRegistrationRequiredInterrupt",
    "SsoUserAccountNotFoundInResourceTenant", "UserStrongAuthExpired", "CmsiInterrupt"
  )
  AND user_id != "not available"
  AND o365.audit.Target.Type IN ("0", "2", "6", "10")

| STATS
    unique_users = COUNT_DISTINCT(user_id),
    user_id_list = VALUES(user_id),
    login_errors = VALUES(login_error),
    unique_login_errors = COUNT_DISTINCT(login_error),
    request_types = VALUES(request_type),
    ip_list = VALUES(ip),
    unique_ips = COUNT_DISTINCT(ip),
    source_orgs = VALUES(asn_org),
    countries = VALUES(country),
    unique_country_count = COUNT_DISTINCT(country),
    unique_asn_orgs = COUNT_DISTINCT(asn_org),
    first_seen = MIN(event_time),
    last_seen = MAX(event_time),
    total_attempts = COUNT()
  BY time_window

| EVAL
    duration_seconds = DATE_DIFF("seconds", first_seen, last_seen),
    bf_type = CASE(
        unique_users >= 15 AND unique_login_errors == 1 AND total_attempts >= 10 AND duration_seconds <= 1800, "password_spraying",
        unique_users >= 8 AND total_attempts >= 15 AND unique_login_errors <= 3 AND unique_ips <= 5 AND duration_seconds <= 600, "credential_stuffing",
        unique_users == 1 AND unique_login_errors == 1 AND total_attempts >= 20 AND duration_seconds <= 300, "password_guessing",
        "other"
    )

| KEEP
    time_window, unique_users, user_id_list, login_errors, unique_login_errors,
    request_types, ip_list, unique_ips, source_orgs, countries,
    unique_country_count, unique_asn_orgs, first_seen, last_seen,
    duration_seconds, total_attempts, bf_type

| WHERE
    bf_type != "other"

O365 Excessive Single Sign-On Logon Errors

Description

Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.

Detection logic

event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"

Deprecated - Potential Password Spraying of Microsoft 365 User Accounts

Description

Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.

Detection logic

event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")

Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

Description

Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.

Detection logic

from logs-azure.signinlogs*
| WHERE
  event.dataset == "azure.signinlogs"
  and event.category == "authentication"
  and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
  and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
  and event.outcome != "success"

  // For tuning, review azure.signinlogs.properties.status.error_code
  // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

// keep only relevant fields
| keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip

// Count the number of unique targets per source IP
| stats
  target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip

// Filter for at least 10 distinct failed login attempts from a single source
| where target_count >= 10

Azure Entra ID Password Spraying (Non-Interactive SFA)

Description

Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.

Detection logic

from logs-azure.signinlogs*
| keep
    @timestamp,
    event.dataset,
    event.category,
    azure.signinlogs.properties.is_interactive,
    azure.signinlogs.properties.authentication_requirement,
    azure.signinlogs.properties.resource_display_name,
    azure.signinlogs.properties.status.error_code,
    azure.signinlogs.properties.resource_service_principal_id,
    azure.signinlogs.category,
    event.outcome,
    azure.signinlogs.properties.user_principal_name,
    source.ip
// truncate the timestamp to a 10-minute window
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
| WHERE
  event.dataset == "azure.signinlogs"
  and event.category == "authentication"
  and azure.signinlogs.properties.is_interactive == false
  and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
  and event.outcome != "success"
  and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
    // for tuning review azure.signinlogs.properties.status.error_code
    // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

// count the number of unique user login attempts
| stats
    unique_user_login_count = count_distinct(azure.signinlogs.properties.resource_service_principal_id) by
        target_time_window,
        azure.signinlogs.properties.user_principal_name,
        azure.signinlogs.properties.status.error_code

// filter for >= 20 failed SFA auth attempts with the same error codes
| where unique_user_login_count >= 20

Potential Microsoft 365 Brute Force via Entra ID Sign-Ins

Description

Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams.

Detection logic

FROM logs-azure.signinlogs*

| EVAL
    time_window = DATE_TRUNC(5 minutes, @timestamp),
    user_id = TO_LOWER(azure.signinlogs.properties.user_principal_name),
    ip = source.ip,
    login_error = azure.signinlogs.result_description,
    error_code = azure.signinlogs.result_type,
    request_type = TO_LOWER(azure.signinlogs.properties.incoming_token_type),
    app_name = TO_LOWER(azure.signinlogs.properties.app_display_name),
    asn_org = source.`as`.organization.name,
    country = source.geo.country_name,
    user_agent = user_agent.original,
    event_time = @timestamp

| WHERE event.dataset == "azure.signinlogs"
  AND event.category == "authentication"
  AND azure.signinlogs.category IN ("NonInteractiveUserSignInLogs", "SignInLogs")
  AND azure.signinlogs.properties.resource_display_name RLIKE "(.*)365|SharePoint|Exchange|Teams|Office(.*)"
  AND event.outcome == "failure"
  AND NOT STARTS_WITH("Account is locked", login_error)
  AND azure.signinlogs.result_type IN (
    "50034", // UserAccountNotFound
    "50126", // InvalidUserNameOrPassword
    "50053", // IdsLocked or too many sign-in failures
    "70000", // InvalidGrant
    "70008", // Expired or revoked refresh token
    "70043", // Bad token due to sign-in frequency
    "50057", // UserDisabled
    "50055", // Password expired
    "50056", // Invalid or null password
    "50064", // Credential validation failure
    "50076", // MFA required but not passed
    "50079", // MFA registration required
    "50105"  // EntitlementGrantsNotFound (no access to app)
  )
  AND user_id IS NOT NULL AND user_id != ""
  AND user_agent != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0"

| STATS
    authentication_requirement = VALUES(azure.signinlogs.properties.authentication_requirement),
    client_app_id = VALUES(azure.signinlogs.properties.app_id),
    client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name),
    target_resource_id = VALUES(azure.signinlogs.properties.resource_id),
    target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name),
    conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status),
    device_detail_browser = VALUES(azure.signinlogs.properties.device_detail.browser),
    device_detail_device_id = VALUES(azure.signinlogs.properties.device_detail.device_id),
    incoming_token_type = VALUES(azure.signinlogs.properties.incoming_token_type),
    risk_state = VALUES(azure.signinlogs.properties.risk_state),
    session_id = VALUES(azure.signinlogs.properties.session_id),
    user_id = VALUES(azure.signinlogs.properties.user_id),
    user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name),
    result_description = VALUES(azure.signinlogs.result_description),
    result_signature = VALUES(azure.signinlogs.result_signature),
    result_type = VALUES(azure.signinlogs.result_type),

    unique_users = COUNT_DISTINCT(user_id),
    user_id_list = VALUES(user_id),
    login_errors = VALUES(login_error),
    unique_login_errors = COUNT_DISTINCT(login_error),
    request_types = VALUES(request_type),
    app_names = VALUES(app_name),
    ip_list = VALUES(ip),
    unique_ips = COUNT_DISTINCT(ip),
    source_orgs = VALUES(asn_org),
    countries = VALUES(country),
    unique_country_count = COUNT_DISTINCT(country),
    unique_asn_orgs = COUNT_DISTINCT(asn_org),
    first_seen = MIN(event_time),
    last_seen = MAX(event_time),
    total_attempts = COUNT()
  BY time_window

| EVAL
    duration_seconds = DATE_DIFF("seconds", first_seen, last_seen),
    bf_type = CASE(
        unique_users >= 15 AND unique_login_errors == 1 AND total_attempts >= 10 AND duration_seconds <= 1800, "password_spraying",
        unique_users >= 8 AND total_attempts >= 15 AND unique_login_errors <= 3 AND unique_ips <= 5 AND duration_seconds <= 600, "credential_stuffing",
        unique_users == 1 AND unique_login_errors == 1 AND total_attempts >= 30 AND duration_seconds <= 300, "password_guessing",
        "other"
    )

| KEEP
    time_window, bf_type, duration_seconds, total_attempts, first_seen, last_seen,
    unique_users, user_id_list, login_errors, unique_login_errors, request_types,
    app_names, ip_list, unique_ips, source_orgs, countries,
    unique_country_count, unique_asn_orgs,

    authentication_requirement, client_app_id, client_app_display_name,
    target_resource_id, target_resource_display_name, conditional_access_status,
    device_detail_browser, device_detail_device_id, incoming_token_type,
    risk_state, session_id, user_id, user_principal_name,
    result_description, result_signature, result_type

| WHERE bf_type != "other"