Techniques
Sample rules
O365 Excessive Authentication Failures Alert
- source: splunk
- technicques:
- T1110
Description
This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure
| stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user
| where count > 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_excessive_authentication_failures_alert_filter`