Attempts to Brute Force a Microsoft 365 User Account
Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/30"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic", "Willem D'Haese", "Austin Songer"]
11description = """
12Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain
13unauthorized access to user accounts.
14"""
15false_positives = [
16 """
17 Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
18 positives.
19 """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Attempts to Brute Force a Microsoft 365 User Account"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"]
30risk_score = 73
31rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
32severity = "high"
33tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
34type = "threshold"
35timestamp_override = "event.ingested"
36
37query = '''
38event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
39 event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
40 not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
41 UserStrongAuthClientAuthNRequired or InvalidReplyTo)
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1110"
49name = "Brute Force"
50reference = "https://attack.mitre.org/techniques/T1110/"
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
57
58[rule.threshold]
59field = ["user.id"]
60value = 10
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- O365 Excessive Single Sign-On Logon Errors
- Potential Password Spraying of Microsoft 365 User Accounts
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Global Administrator Role Assigned