logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.

t1556
o365 tenant
splunk

Techniques

T1556

Sample rules

O365 Excessive SSO logon errors

source: splunk
technicques:
- T1556

Description

The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by  src_ip signature user_agent authentication_service action
| where count >= 5 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_excessive_sso_logon_errors_filter`