Microsoft Entra ID Sign-In Brute Force Activity
Identifies potential brute-force attacks targeting user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to applications integrated with Entra ID or to compromise valid user accounts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/06"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/09/10"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies potential brute-force attacks targeting user accounts by analyzing failed sign-in patterns in Microsoft Entra
11ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication
12attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing.
13Adversaries may use these techniques to gain unauthorized access to applications integrated with Entra ID or to
14compromise valid user accounts.
15"""
16false_positives = [
17 """
18 Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication
19 settings may lead to false positives.
20 """,
21]
22from = "now-60m"
23interval = "15m"
24language = "esql"
25license = "Elastic License v2"
26name = "Microsoft Entra ID Sign-In Brute Force Activity"
27note = """## Triage and analysis
28
29### Investigating Microsoft Entra ID Sign-In Brute Force Activity
30
31This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response.
32
33### Possible investigation steps
34
35- Review `bf_type`: Determines the brute-force technique being used (`password_spraying`, `credential_stuffing`, or `password_guessing`).
36- Examine `user_id_list`: Identify if high-value accounts (e.g., administrators, service principals, federated identities) are being targeted.
37- Review `login_errors`: Repetitive error types like `"Invalid Grant"` or `"User Not Found"` suggest automated attacks.
38- Check `ip_list` and `source_orgs`: Investigate if the activity originates from suspicious infrastructure (VPNs, hosting providers, etc.).
39- Validate `unique_ips` and `countries`: Geographic diversity and IP volume may indicate distributed or botnet-based attacks.
40- Compare `total_attempts` vs `duration_seconds`: High rate of failures in a short time period implies automation.
41- Analyze `user_agent.original` and `device_detail_browser`: User agents like `curl`, `Python`, or generic libraries may indicate scripting tools.
42- Investigate `client_app_display_name` and `incoming_token_type`: Detect potential abuse of legacy or unattended login mechanisms.
43- Inspect `target_resource_display_name`: Understand what application or resource the attacker is trying to access.
44- Pivot using `session_id` and `device_detail_device_id`: Determine if a device is targeting multiple accounts.
45- Review `conditional_access_status`: If not enforced, ensure Conditional Access policies are scoped correctly.
46
47### False positive analysis
48
49- Legitimate automation (e.g., misconfigured scripts, sync processes) can trigger repeated failures.
50- Internal red team activity or penetration tests may mimic brute-force behaviors.
51- Certain service accounts or mobile clients may generate repetitive sign-in noise if not properly configured.
52
53### Response and remediation
54
55- Notify your identity security team for further analysis.
56- Investigate and lock or reset impacted accounts if compromise is suspected.
57- Block offending IPs or ASNs at the firewall, proxy, or using Conditional Access.
58- Confirm MFA and Conditional Access are enforced for all user types.
59- Audit targeted accounts for credential reuse across services.
60- Implement account lockout or throttling for failed sign-in attempts where possible.
61"""
62references = [
63 "https://www.proofpoint.com/us/blog/threat-insight/attackers-unleash-teamfiltration-account-takeover-campaign",
64 "https://www.microsoft.com/en-us/security/blog/2025/05/27/new-russia-affiliated-actor-void-blizzard-targets-critical-sectors-for-espionage/",
65 "https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying",
66 "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray",
67 "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties",
68 "https://securityscorecard.com/research/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks/",
69 "https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes",
70 "https://github.com/0xZDH/Omnispray",
71 "https://github.com/0xZDH/o365spray",
72]
73risk_score = 47
74rule_id = "cca64114-fb8b-11ef-86e2-f661ea17fbce"
75severity = "medium"
76tags = [
77 "Domain: Cloud",
78 "Domain: Identity",
79 "Data Source: Azure",
80 "Data Source: Entra ID",
81 "Data Source: Entra ID Sign-in Logs",
82 "Use Case: Identity and Access Audit",
83 "Use Case: Threat Detection",
84 "Tactic: Credential Access",
85 "Resources: Investigation Guide",
86]
87timestamp_override = "event.ingested"
88type = "esql"
89
90query = '''
91from logs-azure.signinlogs*
92
93// Define a time window for grouping and maintain the original event timestamp
94| eval Esql.time_window_date_trunc = date_trunc(15 minutes, @timestamp)
95
96// Filter relevant failed authentication events with specific error codes
97| where event.dataset == "azure.signinlogs"
98 and event.category == "authentication"
99 and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
100 and event.outcome == "failure"
101 and azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication"
102 and azure.signinlogs.properties.status.error_code in (
103 50034, // UserAccountNotFound
104 50126, // InvalidUsernameOrPassword
105 50055, // PasswordExpired
106 50056, // InvalidPassword
107 50057, // UserDisabled
108 50064, // CredentialValidationFailure
109 50076, // MFARequiredButNotPassed
110 50079, // MFARegistrationRequired
111 50105, // EntitlementGrantsNotFound
112 70000, // InvalidGrant
113 70008, // ExpiredOrRevokedRefreshToken
114 70043, // BadTokenDueToSignInFrequency
115 80002, // OnPremisePasswordValidatorRequestTimedOut
116 80005, // OnPremisePasswordValidatorUnpredictableWebException
117 50144, // InvalidPasswordExpiredOnPremPassword
118 50135, // PasswordChangeCompromisedPassword
119 50142, // PasswordChangeRequiredConditionalAccess
120 120000, // PasswordChangeIncorrectCurrentPassword
121 120002, // PasswordChangeInvalidNewPasswordWeak
122 120020 // PasswordChangeFailure
123 )
124 and azure.signinlogs.properties.user_principal_name is not null and azure.signinlogs.properties.user_principal_name != ""
125 and user_agent.original != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0"
126 and source.`as`.organization.name != "MICROSOFT-CORP-MSN-as-BLOCK"
127
128| stats
129 Esql.azure_signinlogs_properties_authentication_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
130 Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),
131 Esql.azure_signinlogs_properties_app_display_name_values = values(azure.signinlogs.properties.app_display_name),
132 Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
133 Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
134 Esql.azure_signinlogs_properties_conditional_access_status_values = values(azure.signinlogs.properties.conditional_access_status),
135 Esql.azure_signinlogs_properties_device_detail_browser_values = values(azure.signinlogs.properties.device_detail.browser),
136 Esql.azure_signinlogs_properties_device_detail_device_id_values = values(azure.signinlogs.properties.device_detail.device_id),
137 Esql.azure_signinlogs_properties_device_detail_operating_system_values = values(azure.signinlogs.properties.device_detail.operating_system),
138 Esql.azure_signinlogs_properties_incoming_token_type_values = values(azure.signinlogs.properties.incoming_token_type),
139 Esql.azure_signinlogs_properties_risk_state_values = values(azure.signinlogs.properties.risk_state),
140 Esql.azure_signinlogs_properties_session_id_values = values(azure.signinlogs.properties.session_id),
141 Esql.azure_signinlogs_properties_user_id_values = values(azure.signinlogs.properties.user_id),
142 Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
143 Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),
144 Esql.azure_signinlogs_result_signature_values = values(azure.signinlogs.result_signature),
145 Esql.azure_signinlogs_result_type_values = values(azure.signinlogs.result_type),
146
147 Esql.azure_signinlogs_properties_user_id_count_distinct = count_distinct(azure.signinlogs.properties.user_id),
148 Esql.azure_signinlogs_properties_user_id_list = values(azure.signinlogs.properties.user_id),
149 Esql.azure_signinlogs_result_description_values_all = values(azure.signinlogs.result_description),
150 Esql.azure_signinlogs_result_description_count_distinct = count_distinct(azure.signinlogs.result_description),
151 Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
152 Esql.azure_signinlogs_properties_status_error_code_count_distinct = count_distinct(azure.signinlogs.properties.status.error_code),
153 Esql.azure_signinlogs_properties_incoming_token_type_values_all = values(azure.signinlogs.properties.incoming_token_type),
154 Esql.azure_signinlogs_properties_app_display_name_values_all = values(azure.signinlogs.properties.app_display_name),
155 Esql.source_ip_values = values(source.ip),
156 Esql.source_ip_count_distinct = count_distinct(source.ip),
157 Esql.source_as_organization_name_values = values(source.`as`.organization.name),
158 Esql.source_geo_country_name_values = values(source.geo.country_name),
159 Esql.source_geo_country_name_count_distinct = count_distinct(source.geo.country_name),
160 Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),
161 Esql.timestamp_first_seen = min(@timestamp),
162 Esql.timestamp_last_seen = max(@timestamp),
163 Esql.event_count = count()
164by Esql.time_window_date_trunc
165
166| eval
167 Esql.duration_seconds = date_diff("seconds", Esql.timestamp_first_seen, Esql.timestamp_last_seen),
168 Esql.brute_force_type = case(
169 Esql.azure_signinlogs_properties_user_id_count_distinct >= 10 and Esql.event_count >= 30 and Esql.azure_signinlogs_result_description_count_distinct <= 3
170 and Esql.source_ip_count_distinct >= 5
171 and Esql.duration_seconds <= 600
172 and Esql.azure_signinlogs_properties_user_id_count_distinct > Esql.source_ip_count_distinct,
173 "credential_stuffing",
174
175 Esql.azure_signinlogs_properties_user_id_count_distinct >= 15 and Esql.azure_signinlogs_result_description_count_distinct == 1 and Esql.event_count >= 15 and Esql.duration_seconds <= 1800,
176 "password_spraying",
177
178 (Esql.azure_signinlogs_properties_user_id_count_distinct == 1 and Esql.azure_signinlogs_result_description_count_distinct == 1 and Esql.event_count >= 30 and Esql.duration_seconds <= 300)
179 or (Esql.azure_signinlogs_properties_user_id_count_distinct <= 3 and Esql.source_ip_count_distinct > 30 and Esql.event_count >= 100),
180 "password_guessing",
181
182 "other"
183 )
184
185| keep
186 Esql.time_window_date_trunc,
187 Esql.brute_force_type,
188 Esql.duration_seconds,
189 Esql.event_count,
190 Esql.timestamp_first_seen,
191 Esql.timestamp_last_seen,
192 Esql.azure_signinlogs_properties_user_id_count_distinct,
193 Esql.azure_signinlogs_properties_user_id_list,
194 Esql.azure_signinlogs_result_description_values_all,
195 Esql.azure_signinlogs_result_description_count_distinct,
196 Esql.azure_signinlogs_properties_status_error_code_count_distinct,
197 Esql.azure_signinlogs_properties_status_error_code_values,
198 Esql.azure_signinlogs_properties_incoming_token_type_values_all,
199 Esql.azure_signinlogs_properties_app_display_name_values_all,
200 Esql.source_ip_values,
201 Esql.source_ip_count_distinct,
202 Esql.source_as_organization_name_values,
203 Esql.source_geo_country_name_values,
204 Esql.source_geo_country_name_count_distinct,
205 Esql.source_as_organization_name_count_distinct,
206 Esql.azure_signinlogs_properties_authentication_requirement_values,
207 Esql.azure_signinlogs_properties_app_id_values,
208 Esql.azure_signinlogs_properties_app_display_name_values,
209 Esql.azure_signinlogs_properties_resource_id_values,
210 Esql.azure_signinlogs_properties_resource_display_name_values,
211 Esql.azure_signinlogs_properties_conditional_access_status_values,
212 Esql.azure_signinlogs_properties_device_detail_browser_values,
213 Esql.azure_signinlogs_properties_device_detail_device_id_values,
214 Esql.azure_signinlogs_properties_device_detail_operating_system_values,
215 Esql.azure_signinlogs_properties_incoming_token_type_values,
216 Esql.azure_signinlogs_properties_risk_state_values,
217 Esql.azure_signinlogs_properties_session_id_values,
218 Esql.azure_signinlogs_properties_user_id_values,
219 Esql_priv.azure_signinlogs_properties_user_principal_name_values,
220 Esql.azure_signinlogs_result_description_values,
221 Esql.azure_signinlogs_result_signature_values,
222 Esql.azure_signinlogs_result_type_values
223
224| where Esql.brute_force_type != "other"
225'''
226
227
228[[rule.threat]]
229framework = "MITRE ATT&CK"
230[[rule.threat.technique]]
231id = "T1110"
232name = "Brute Force"
233reference = "https://attack.mitre.org/techniques/T1110/"
234[[rule.threat.technique.subtechnique]]
235id = "T1110.001"
236name = "Password Guessing"
237reference = "https://attack.mitre.org/techniques/T1110/001/"
238
239[[rule.threat.technique.subtechnique]]
240id = "T1110.003"
241name = "Password Spraying"
242reference = "https://attack.mitre.org/techniques/T1110/003/"
243
244[[rule.threat.technique.subtechnique]]
245id = "T1110.004"
246name = "Credential Stuffing"
247reference = "https://attack.mitre.org/techniques/T1110/004/"
248
249
250
251[rule.threat.tactic]
252id = "TA0006"
253name = "Credential Access"
254reference = "https://attack.mitre.org/tactics/TA0006/"
Triage and analysis
Investigating Microsoft Entra ID Sign-In Brute Force Activity
This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (bf_type
) helps prioritize triage and incident response.
Possible investigation steps
- Review
bf_type
: Determines the brute-force technique being used (password_spraying
,credential_stuffing
, orpassword_guessing
). - Examine
user_id_list
: Identify if high-value accounts (e.g., administrators, service principals, federated identities) are being targeted. - Review
login_errors
: Repetitive error types like"Invalid Grant"
or"User Not Found"
suggest automated attacks. - Check
ip_list
andsource_orgs
: Investigate if the activity originates from suspicious infrastructure (VPNs, hosting providers, etc.). - Validate
unique_ips
andcountries
: Geographic diversity and IP volume may indicate distributed or botnet-based attacks. - Compare
total_attempts
vsduration_seconds
: High rate of failures in a short time period implies automation. - Analyze
user_agent.original
anddevice_detail_browser
: User agents likecurl
,Python
, or generic libraries may indicate scripting tools. - Investigate
client_app_display_name
andincoming_token_type
: Detect potential abuse of legacy or unattended login mechanisms. - Inspect
target_resource_display_name
: Understand what application or resource the attacker is trying to access. - Pivot using
session_id
anddevice_detail_device_id
: Determine if a device is targeting multiple accounts. - Review
conditional_access_status
: If not enforced, ensure Conditional Access policies are scoped correctly.
False positive analysis
- Legitimate automation (e.g., misconfigured scripts, sync processes) can trigger repeated failures.
- Internal red team activity or penetration tests may mimic brute-force behaviors.
- Certain service accounts or mobile clients may generate repetitive sign-in noise if not properly configured.
Response and remediation
- Notify your identity security team for further analysis.
- Investigate and lock or reset impacted accounts if compromise is suspected.
- Block offending IPs or ASNs at the firewall, proxy, or using Conditional Access.
- Confirm MFA and Conditional Access are enforced for all user types.
- Audit targeted accounts for credential reuse across services.
- Implement account lockout or throttling for failed sign-in attempts where possible.
References
Related rules
- Microsoft 365 Brute Force via Entra ID Sign-Ins
- Microsoft Entra ID Exccessive Account Lockouts Detected
- Microsoft Entra ID MFA TOTP Brute Force Attempts
- Suspicious Microsoft OAuth Flow via Auth Broker to DRS
- Entra ID Protection - Risk Detection - Sign-in Risk