Techniques
Sample rules
Potential Password Spraying of Microsoft 365 User Accounts
- source: elastic
- technicques:
- T1110
Description
Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30 minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
O365 Excessive Single Sign-On Logon Errors
- source: elastic
- technicques:
- T1110
Description
Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.
Detection logic
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
Attempts to Brute Force a Microsoft 365 User Account
- source: elastic
- technicques:
- T1110
Description
Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
UserStrongAuthClientAuthNRequired or InvalidReplyTo)
AWS Management Console Brute Force of Root User Identity
- source: elastic
- technicques:
- T1110
Description
Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account.
Detection logic
event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure
Okta Brute Force or Password Spraying Attack
- source: elastic
- technicques:
- T1110
Description
Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.
Detection logic
event.dataset:okta.system and event.category:authentication and event.outcome:failure