Sample rules
AWS Management Console Brute Force of Root User Identity
- source: elastic
- technicques:
- T1110
Description
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
Detection logic
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
Okta Brute Force or Password Spraying Attack
- source: elastic
- technicques:
- T1110
Description
Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:okta.system and event.category:authentication and event.outcome:failure
Potential Microsoft 365 User Account Brute Force
- source: elastic
- technicques:
- T1110
Description
Identifies brute-force authentication activity targeting Microsoft 365 user accounts using failed sign-in patterns that match password spraying, credential stuffing, or password guessing behavior. Adversaries may attempt brute-force authentication with credentials obtained from previous breaches, leaks, marketplaces or guessable passwords.
Detection logic
FROM logs-o365.audit-*
| MV_EXPAND event.category
| EVAL
time_window = DATE_TRUNC(5 minutes, @timestamp),
user_id = TO_LOWER(o365.audit.UserId),
ip = source.ip,
login_error = o365.audit.LogonError,
request_type = TO_LOWER(o365.audit.ExtendedProperties.RequestType),
asn_org = source.`as`.organization.name,
country = source.geo.country_name,
event_time = @timestamp
| WHERE event.dataset == "o365.audit"
AND event.category == "authentication"
AND event.provider IN ("AzureActiveDirectory", "Exchange")
AND event.action IN ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")
AND request_type RLIKE "(oauth.*||.*login.*)"
AND login_error != "IdsLocked"
AND login_error NOT IN (
"EntitlementGrantsNotFound", "UserStrongAuthEnrollmentRequired", "UserStrongAuthClientAuthNRequired",
"InvalidReplyTo", "SsoArtifactExpiredDueToConditionalAccess", "PasswordResetRegistrationRequiredInterrupt",
"SsoUserAccountNotFoundInResourceTenant", "UserStrongAuthExpired", "CmsiInterrupt"
)
AND user_id != "not available"
AND o365.audit.Target.Type IN ("0", "2", "6", "10")
| STATS
unique_users = COUNT_DISTINCT(user_id),
user_id_list = VALUES(user_id),
login_errors = VALUES(login_error),
unique_login_errors = COUNT_DISTINCT(login_error),
request_types = VALUES(request_type),
ip_list = VALUES(ip),
unique_ips = COUNT_DISTINCT(ip),
source_orgs = VALUES(asn_org),
countries = VALUES(country),
unique_country_count = COUNT_DISTINCT(country),
unique_asn_orgs = COUNT_DISTINCT(asn_org),
first_seen = MIN(event_time),
last_seen = MAX(event_time),
total_attempts = COUNT()
BY time_window
| EVAL
duration_seconds = DATE_DIFF("seconds", first_seen, last_seen),
bf_type = CASE(
unique_users >= 15 AND unique_login_errors == 1 AND total_attempts >= 10 AND duration_seconds <= 1800, "password_spraying",
unique_users >= 8 AND total_attempts >= 15 AND unique_login_errors <= 3 AND unique_ips <= 5 AND duration_seconds <= 600, "credential_stuffing",
unique_users == 1 AND unique_login_errors == 1 AND total_attempts >= 20 AND duration_seconds <= 300, "password_guessing",
"other"
)
| KEEP
time_window, unique_users, user_id_list, login_errors, unique_login_errors,
request_types, ip_list, unique_ips, source_orgs, countries,
unique_country_count, unique_asn_orgs, first_seen, last_seen,
duration_seconds, total_attempts, bf_type
| WHERE
bf_type != "other"
O365 Excessive Single Sign-On Logon Errors
- source: elastic
- technicques:
- T1110
Description
Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.
Detection logic
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
Deprecated - Potential Password Spraying of Microsoft 365 User Accounts
- source: elastic
- technicques:
- T1110
Description
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.
Detection logic
from logs-azure.signinlogs*
| WHERE
event.dataset == "azure.signinlogs"
and event.category == "authentication"
and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
and event.outcome != "success"
// For tuning, review azure.signinlogs.properties.status.error_code
// https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
// keep only relevant fields
| keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip
// Count the number of unique targets per source IP
| stats
target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip
// Filter for at least 10 distinct failed login attempts from a single source
| where target_count >= 10
Azure Entra ID Password Spraying (Non-Interactive SFA)
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force (password spraying) attempts against Azure Entra ID user accounts by detecting a high number of failed non-interactive single-factor authentication (SFA) login attempts within a 10-minute window. Attackers may attempt to brute force user accounts to gain unauthorized access to Azure Entra ID services. Non-interactive SFA login attempts bypass conditional-access policies (CAP) and multi-factor authentication (MFA) requirements, making them a high-risk vector for unauthorized access. Adversaries may attempt this to identify which accounts are still valid from acquired credentials via phishing, infostealers, or other means.
Detection logic
from logs-azure.signinlogs*
| keep
@timestamp,
event.dataset,
event.category,
azure.signinlogs.properties.is_interactive,
azure.signinlogs.properties.authentication_requirement,
azure.signinlogs.properties.resource_display_name,
azure.signinlogs.properties.status.error_code,
azure.signinlogs.properties.resource_service_principal_id,
azure.signinlogs.category,
event.outcome,
azure.signinlogs.properties.user_principal_name,
source.ip
// truncate the timestamp to a 10-minute window
| eval target_time_window = DATE_TRUNC(10 minutes, @timestamp)
| WHERE
event.dataset == "azure.signinlogs"
and event.category == "authentication"
and azure.signinlogs.properties.is_interactive == false
and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
and event.outcome != "success"
and azure.signinlogs.properties.status.error_code in (50053, 50126, 50055, 50056, 50064, 50144)
// for tuning review azure.signinlogs.properties.status.error_code
// https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes
// count the number of unique user login attempts
| stats
unique_user_login_count = count_distinct(azure.signinlogs.properties.resource_service_principal_id) by
target_time_window,
azure.signinlogs.properties.user_principal_name,
azure.signinlogs.properties.status.error_code
// filter for >= 20 failed SFA auth attempts with the same error codes
| where unique_user_login_count >= 20
Potential Microsoft 365 Brute Force via Entra ID Sign-Ins
- source: elastic
- technicques:
- T1110
Description
Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams.
Detection logic
FROM logs-azure.signinlogs*
| EVAL
time_window = DATE_TRUNC(5 minutes, @timestamp),
user_id = TO_LOWER(azure.signinlogs.properties.user_principal_name),
ip = source.ip,
login_error = azure.signinlogs.result_description,
error_code = azure.signinlogs.result_type,
request_type = TO_LOWER(azure.signinlogs.properties.incoming_token_type),
app_name = TO_LOWER(azure.signinlogs.properties.app_display_name),
asn_org = source.`as`.organization.name,
country = source.geo.country_name,
user_agent = user_agent.original,
event_time = @timestamp
| WHERE event.dataset == "azure.signinlogs"
AND event.category == "authentication"
AND azure.signinlogs.category IN ("NonInteractiveUserSignInLogs", "SignInLogs")
AND azure.signinlogs.properties.resource_display_name RLIKE "(.*)365|SharePoint|Exchange|Teams|Office(.*)"
AND event.outcome == "failure"
AND NOT STARTS_WITH("Account is locked", login_error)
AND azure.signinlogs.result_type IN (
"50034", // UserAccountNotFound
"50126", // InvalidUserNameOrPassword
"50053", // IdsLocked or too many sign-in failures
"70000", // InvalidGrant
"70008", // Expired or revoked refresh token
"70043", // Bad token due to sign-in frequency
"50057", // UserDisabled
"50055", // Password expired
"50056", // Invalid or null password
"50064", // Credential validation failure
"50076", // MFA required but not passed
"50079", // MFA registration required
"50105" // EntitlementGrantsNotFound (no access to app)
)
AND user_id IS NOT NULL AND user_id != ""
AND user_agent != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0"
| STATS
authentication_requirement = VALUES(azure.signinlogs.properties.authentication_requirement),
client_app_id = VALUES(azure.signinlogs.properties.app_id),
client_app_display_name = VALUES(azure.signinlogs.properties.app_display_name),
target_resource_id = VALUES(azure.signinlogs.properties.resource_id),
target_resource_display_name = VALUES(azure.signinlogs.properties.resource_display_name),
conditional_access_status = VALUES(azure.signinlogs.properties.conditional_access_status),
device_detail_browser = VALUES(azure.signinlogs.properties.device_detail.browser),
device_detail_device_id = VALUES(azure.signinlogs.properties.device_detail.device_id),
incoming_token_type = VALUES(azure.signinlogs.properties.incoming_token_type),
risk_state = VALUES(azure.signinlogs.properties.risk_state),
session_id = VALUES(azure.signinlogs.properties.session_id),
user_id = VALUES(azure.signinlogs.properties.user_id),
user_principal_name = VALUES(azure.signinlogs.properties.user_principal_name),
result_description = VALUES(azure.signinlogs.result_description),
result_signature = VALUES(azure.signinlogs.result_signature),
result_type = VALUES(azure.signinlogs.result_type),
unique_users = COUNT_DISTINCT(user_id),
user_id_list = VALUES(user_id),
login_errors = VALUES(login_error),
unique_login_errors = COUNT_DISTINCT(login_error),
request_types = VALUES(request_type),
app_names = VALUES(app_name),
ip_list = VALUES(ip),
unique_ips = COUNT_DISTINCT(ip),
source_orgs = VALUES(asn_org),
countries = VALUES(country),
unique_country_count = COUNT_DISTINCT(country),
unique_asn_orgs = COUNT_DISTINCT(asn_org),
first_seen = MIN(event_time),
last_seen = MAX(event_time),
total_attempts = COUNT()
BY time_window
| EVAL
duration_seconds = DATE_DIFF("seconds", first_seen, last_seen),
bf_type = CASE(
unique_users >= 15 AND unique_login_errors == 1 AND total_attempts >= 10 AND duration_seconds <= 1800, "password_spraying",
unique_users >= 8 AND total_attempts >= 15 AND unique_login_errors <= 3 AND unique_ips <= 5 AND duration_seconds <= 600, "credential_stuffing",
unique_users == 1 AND unique_login_errors == 1 AND total_attempts >= 30 AND duration_seconds <= 300, "password_guessing",
"other"
)
| KEEP
time_window, bf_type, duration_seconds, total_attempts, first_seen, last_seen,
unique_users, user_id_list, login_errors, unique_login_errors, request_types,
app_names, ip_list, unique_ips, source_orgs, countries,
unique_country_count, unique_asn_orgs,
authentication_requirement, client_app_id, client_app_display_name,
target_resource_id, target_resource_display_name, conditional_access_status,
device_detail_browser, device_detail_device_id, incoming_token_type,
risk_state, session_id, user_id, user_principal_name,
result_description, result_signature, result_type
| WHERE bf_type != "other"