Link Search Menu Expand Document

O365_AzureAD_UserLoginFailed_Brute_Force

ID: 100470

Description:

An aggregation rule to track UserLoginFailed operations in Azure Active Directory.

This rule will trigger when the number of events per one (1) hour exceeds 120. This indicates that an O365 user account (UserId) may have had an attempted brute force.

Notes: LogonError - UserAccountNotFound events are excluded

Repository: Group: Office365 Type: event

Default Status:

Disabled

Tags:  
O365 AzureAD
   

Selector:

Query:

Filters:

Field MUST hit
@sender office365
@fields.Workload AzureActiveDirectory
@fields.Operation UserLoginFailed
Field MUST NOT hit
@fields.LogonError UserAccountNotFound

Behavior Rule:

Key Type Behavior Category
@fields.UserId username account login

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
Username @fields.UserId
Country @fields._ip.country
City @fields._ip.city
IP @fields.ClientIP
ISP @fields._ip.isp

Correlation Rules:

Aggregation:

Name Window Field AggType Match
BruteForce 1 hour   count gt 120
  Risks: ALERT_POLICY    

History:

User Date
em*n@fluencysecurity.com 2021 Feb 19 20:44:15 EST
em*n@fluencysecurity.com 2021 Feb 22 15:36:14 EST
em*n@fluencysecurity.com 2021 Jul 7 17:18:42 EDT
ho*d@fluencysecurity.com 2021 Jul 22 16:37:45 EDT
ho*d@fluencysecurity.com 2021 Oct 4 14:59:14 EDT
ho*d@fluencysecurity.com 2021 Oct 4 15:00:33 EDT
ho*d@fluencysecurity.com 2021 Oct 4 15:08:50 EDT
ho*d@fluencysecurity.com 2021 Oct 8 10:39:56 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)