IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Entra Sign-in Brute Force against Microsoft 365 Accounts Microsoft 365 Portal Logins from Impossible Travel Locations »

› ›

Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

edit

Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Domain: SaaS
Data Source: Azure
Data Source: Entra ID
Data Source: Entra ID Sign-in
Use Case: Identity and Access Audit
Use Case: Threat Detection
Tactic: Credential Access

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.

Rule query

edit

from logs-azure.signinlogs*
| WHERE
  event.dataset == "azure.signinlogs"
  and event.category == "authentication"
  and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
  and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
  and event.outcome != "success"

  // For tuning, review azure.signinlogs.properties.status.error_code
  // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

// Count the number of unique targets per source IP
| stats
  target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip

// Filter for at least 10 distinct failed login attempts from a single source
| where target_count >= 10

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
Technique:
- Name: Brute Force
- ID: T1110
- Reference URL: https://attack.mitre.org/techniques/T1110/

« Azure Entra Sign-in Brute Force against Microsoft 365 Accounts Microsoft 365 Portal Logins from Impossible Travel Locations »