Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

edit

Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

edit

Identifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.

Rule type: esql

Rule indices: None

Severity: medium

Risk score: 47

Runs every: 10m

Searches indices from: now-30m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Domain: Cloud
  • Domain: SaaS
  • Data Source: Azure
  • Data Source: Entra ID
  • Data Source: Entra ID Sign-in
  • Use Case: Identity and Access Audit
  • Use Case: Threat Detection
  • Tactic: Credential Access

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit

This rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.

Rule query

edit
from logs-azure.signinlogs*
| WHERE
  event.dataset == "azure.signinlogs"
  and event.category == "authentication"
  and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
  and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
  and event.outcome != "success"

  // For tuning, review azure.signinlogs.properties.status.error_code
  // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

// keep only relevant fields
| keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip

// Count the number of unique targets per source IP
| stats
  target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip

// Filter for at least 10 distinct failed login attempts from a single source
| where target_count >= 10

Framework: MITRE ATT&CKTM