O365_AzureAD_UserLoginFailed_Brute_Force
ID: 100470
Description:
An aggregation rule to track UserLoginFailed operations in Azure Active Directory.
This rule will trigger when the number of events per one (1) hour exceeds 120. This indicates that an O365 user account (UserId) may have had an attempted brute force.
Notes: LogonError - UserAccountNotFound events are excluded
Repository: Group: Office365 Type: event
Default Status:
Disabled
| Tags: | |
|---|---|
| O365 | AzureAD |
Selector:
Query:
Filters:
| Field | MUST hit |
|---|---|
| @sender | office365 |
| @fields.Workload | AzureActiveDirectory |
| @fields.Operation | UserLoginFailed |
| Field | MUST NOT hit |
|---|---|
| @fields.LogonError | UserAccountNotFound |
Behavior Rule:
| Key | Type | Behavior Category |
|---|---|---|
| @fields.UserId | username | account login |
Risks:
| Risks | Base Score | Dimension |
|---|---|---|
Attributes:
| Alias | Key |
|---|---|
| Username | @fields.UserId |
| Country | @fields._ip.country |
| City | @fields._ip.city |
| IP | @fields.ClientIP |
| ISP | @fields._ip.isp |
Correlation Rules:
Aggregation:
| Name | Window | Field | AggType | Match |
|---|---|---|---|---|
| BruteForce | 1 hour | count | gt 120 | |
| Risks: | ALERT_POLICY |
History:
| User | Date |
|---|---|
| em*n@fluencysecurity.com | 2021 Feb 19 20:44:15 EST |
| em*n@fluencysecurity.com | 2021 Feb 22 15:36:14 EST |
| em*n@fluencysecurity.com | 2021 Jul 7 17:18:42 EDT |
| ho*d@fluencysecurity.com | 2021 Jul 22 16:37:45 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 4 14:59:14 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 4 15:00:33 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 4 15:08:50 EDT |
| ho*d@fluencysecurity.com | 2021 Oct 8 10:39:56 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)