Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
editAzure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
editIdentifies potential brute-force attempts against Microsoft 365 user accounts by detecting a high number of failed interactive or non-interactive login attempts within a 30-minute window from a single source. Attackers may attempt to brute force user accounts to gain unauthorized access to Microsoft 365 services via different services such as Exchange, SharePoint, or Teams.
Rule type: esql
Rule indices: None
Severity: medium
Risk score: 47
Runs every: 10m
Searches indices from: now-30m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Azure
- Data Source: Entra ID
- Data Source: Entra ID Sign-in
- Use Case: Identity and Access Audit
- Use Case: Threat Detection
- Tactic: Credential Access
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editThis rule relies on Azure Entra ID sign-in logs, but filters for Microsoft 365 resources.
Rule query
editfrom logs-azure.signinlogs* | WHERE event.dataset == "azure.signinlogs" and event.category == "authentication" and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)" and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs") and event.outcome != "success" // For tuning, review azure.signinlogs.properties.status.error_code // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes // keep only relevant fields | keep event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip // Count the number of unique targets per source IP | stats target_count = count_distinct(azure.signinlogs.properties.user_principal_name) by source.ip // Filter for at least 10 distinct failed login attempts from a single source | where target_count >= 10
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Brute Force
- ID: T1110
- Reference URL: https://attack.mitre.org/techniques/T1110/