LoFP / logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.

Techniques

• T1556

Sample rules

O365 Excessive SSO logon errors

• source: splunk
• technicques:
  • T1556

Description

The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the o365_management_activity dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by  src_ip signature user_agent authentication_service action
| where count >= 5 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_excessive_sso_logon_errors_filter`