Attempts to Brute Force a Microsoft 365 User Account

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/30"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/17"
 8
 9[rule]
10author = ["Elastic", "Willem D'Haese", "Austin Songer"]
11description = """
12Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain
13unauthorized access to user accounts.
14"""
15false_positives = [
16    """
17    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
18    positives.
19    """,
20]
21from = "now-30m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Attempts to Brute Force a Microsoft 365 User Account"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"]
30risk_score = 73
31rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
32severity = "high"
33tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
34type = "threshold"
35timestamp_override = "event.ingested"
36
37query = '''
38event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
39  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
40  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
41                             UserStrongAuthClientAuthNRequired or InvalidReplyTo)
42'''
43
44
45[[rule.threat]]
46framework = "MITRE ATT&CK"
47[[rule.threat.technique]]
48id = "T1110"
49name = "Brute Force"
50reference = "https://attack.mitre.org/techniques/T1110/"
51
52
53[rule.threat.tactic]
54id = "TA0006"
55name = "Credential Access"
56reference = "https://attack.mitre.org/tactics/TA0006/"
57
58[rule.threshold]
59field = ["user.id"]
60value = 10

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top