Link Search Menu Expand Document

O365_Brute_Force_Attempt

ID: 100392

Description:

An O365 user account may have had an attempted brute force

Repository: Group: Office365ES Type: event

Default Status:

Enabled

Tags:
O365
 

Selector:

Query:

Filters:

Field MUST hit
input.type o365audit
o365.audit.Workload AzureActiveDirectory
o365.audit.Operation UserLoginFailed
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
o365.audit.UserId username account login

Risks:

Risks Base Score Dimension
     

Attributes:

Alias Key
Username o365.audit.UserId
Country _ip.country
City _ip.city
IP o365.audit.ClientIP
ISP _ip.isp

Correlation Rules:

Aggregation:

Name Window Field AggType Match
BruteForce 1 hour   count gt 120
  Risks: ALERT_POLICY    

History:

| User | Date | | :— | :— | | — | — |

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)