Attempts to Brute Force a Microsoft 365 User Account

Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain unauthorized access to user accounts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/11/30"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/24"
 6
 7[rule]
 8author = ["Elastic", "Willem D'Haese", "Austin Songer"]
 9description = """
10Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain
11unauthorized access to user accounts.
12"""
13false_positives = [
14    """
15    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
16    positives.
17    """,
18]
19from = "now-30m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Attempts to Brute Force a Microsoft 365 User Account"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"]
28risk_score = 73
29rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
30severity = "high"
31tags = [
32    "Domain: Cloud",
33    "Data Source: Microsoft 365",
34    "Use Case: Identity and Access Audit",
35    "Tactic: Credential Access",
36]
37timestamp_override = "event.ingested"
38type = "threshold"
39
40query = '''
41event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
42  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
43  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
44                             UserStrongAuthClientAuthNRequired or InvalidReplyTo or SsoArtifactExpiredDueToConditionalAccess or
45                             PasswordResetRegistrationRequiredInterrupt or SsoUserAccountNotFoundInResourceTenant or
46                             UserStrongAuthExpired)
47'''
48
49
50[[rule.threat]]
51framework = "MITRE ATT&CK"
52[[rule.threat.technique]]
53id = "T1110"
54name = "Brute Force"
55reference = "https://attack.mitre.org/techniques/T1110/"
56
57
58[rule.threat.tactic]
59id = "TA0006"
60name = "Credential Access"
61reference = "https://attack.mitre.org/tactics/TA0006/"
62
63[rule.threshold]
64field = ["user.id"]
65value = 10

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top