LoFP / ip or users where the usage of multiple operating systems is expected, filter accordingly.

Techniques

• T1110

Sample rules

O365 Multiple OS Vendors Authenticating From User

• source: splunk
• technicques:
  • T1110

Description

The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like “MFASweep” will trigger this detection.

Detection logic

`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn)

| eval -time = _time

| bin _time span=15m

| stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by  ClientIP, UserId, _time

| where os_count >= 4

| eval src = ClientIP, user = UserId

| `security_content_ctime(firstTime)` 

| `security_content_ctime(lastTime)`

| `o365_multiple_os_vendors_authenticating_from_user_filter`