Techniques
Sample rules
O365 Excessive SSO logon errors
- source: splunk
- technicques:
- T1556
Description
The following analytic detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action
| where count >= 5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_excessive_sso_logon_errors_filter`