LoFP / the threshold for alert is above 10 attempts and this should reduce the number of false positives.

Techniques

• T1110

Sample rules

O365 Excessive Authentication Failures Alert

• source: splunk
• technicques:
  • T1110

Description

The following analytic identifies an excessive number of authentication failures, including failed attempts against MFA prompt codes. It uses data from the o365_management_activity dataset, focusing on events where the authentication status is marked as failure. This behavior is significant as it may indicate a brute force attack or an attempt to compromise user accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or further exploitation within the environment.

Detection logic

`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure 
| stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user 
| where count > 10 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `o365_excessive_authentication_failures_alert_filter`