Attempts to Brute Force a Microsoft 365 User Account
Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/11/30"
3integration = ["o365"]
4maturity = "production"
5updated_date = "2024/07/01"
6
7[rule]
8author = ["Elastic", "Willem D'Haese", "Austin Songer"]
9description = """
10Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain
11unauthorized access to user accounts.
12"""
13false_positives = [
14 """
15 Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
16 positives.
17 """,
18]
19from = "now-9m"
20language = "esql"
21license = "Elastic License v2"
22name = "Attempts to Brute Force a Microsoft 365 User Account"
23note = """## Setup
24
25The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
26references = [
27 "https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem",
28 "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties"
29 ]
30risk_score = 47
31rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
32severity = "medium"
33tags = [
34 "Domain: Cloud",
35 "Domain: SaaS",
36 "Data Source: Microsoft 365",
37 "Use Case: Identity and Access Audit",
38 "Tactic: Credential Access",
39]
40timestamp_override = "event.ingested"
41type = "esql"
42
43query = '''
44from logs-o365.audit-*
45| MV_EXPAND event.category
46| WHERE event.dataset == "o365.audit"
47 AND event.category == "authentication"
48
49 // filter only on Entra ID or Exchange audit logs in O365 integration
50 AND event.provider in ("AzureActiveDirectory", "Exchange")
51
52 // filter only for UserLoginFailed or partial failures
53 AND event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")
54
55 // ignore specific logon errors
56 AND not o365.audit.LogonError in (
57 "EntitlementGrantsNotFound",
58 "UserStrongAuthEnrollmentRequired",
59 "UserStrongAuthClientAuthNRequired",
60 "InvalidReplyTo",
61 "SsoArtifactExpiredDueToConditionalAccess",
62 "PasswordResetRegistrationRequiredInterrupt",
63 "SsoUserAccountNotFoundInResourceTenant",
64 "UserStrongAuthExpired",
65 "CmsiInterrupt"
66)
67 // filters out non user or application logins based on target
68 AND o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")
69
70 // filters only for logins from user or application, ignoring oauth:token
71 AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)"
72
73| STATS
74 // count the number of failed login attempts target per user
75 login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError
76
77| WHERE login_attempt_counts > 10
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1110"
85name = "Brute Force"
86reference = "https://attack.mitre.org/techniques/T1110/"
87
88
89[rule.threat.tactic]
90id = "TA0006"
91name = "Credential Access"
92reference = "https://attack.mitre.org/tactics/TA0006/"
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- O365 Excessive Single Sign-On Logon Errors
- Potential Password Spraying of Microsoft 365 User Accounts
- Entra ID Device Code Auth with Broker Client
- Multiple Device Token Hashes for Single Okta Session
- New or Modified Federation Domain