initial sso configuration issues or first-time federation setup errors for legitimate users may trigger this detection. temporary federation service outages affecting multiple users simultaneously.

t1078
t1566
o365
elastic

Techniques

T1078
T1566

Sample rules

M365 Identity Unusual SSO Authentication Errors for User

source: elastic
technicques:
- T1078
- T1566

Description

Identifies the first occurrence of SSO, SAML, or federated authentication errors for a user. These errors may indicate token manipulation, SAML assertion tampering, or OAuth phishing attempts. Modern adversaries often target SSO mechanisms through token theft, SAML response manipulation, or exploiting federated authentication weaknesses rather than traditional brute force attacks.

Detection logic

event.dataset:o365.audit
    and event.provider:AzureActiveDirectory
    and event.category:authentication
    and o365.audit.ErrorNumber:(
        20001 or 20012 or 20033 or 40008 or 40009 or 40015 or
        50006 or 50008 or 50012 or 50013 or 50027 or 50048 or
        50099 or 50132 or 75005 or 75008 or 75011 or 75016 or
        81004 or 81009 or 81010 or 399284 or 500212 or 500213 or
        700005 or 5000819
    )