Deprecated - Potential Password Spraying of Microsoft 365 User Accounts

 1[metadata]
 2creation_date = "2020/12/01"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/09/05"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
11minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
12obtain unauthorized access to user accounts.
13"""
14false_positives = [
15    """
16    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
17    positives.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Deprecated - Potential Password Spraying of Microsoft 365 User Accounts"
25note = """This rule has been deprecated in favor of `Attempts to Brute Force a Microsoft 365 User Account` (26f68dba-ce29-497b-8e13-b4fde1db5a2d)."""
26risk_score = 73
27rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
28severity = "high"
29tags = [
30    "Domain: Cloud",
31    "Data Source: Microsoft 365",
32    "Use Case: Identity and Access Audit",
33    "Tactic: Credential Access",
34]
35timestamp_override = "event.ingested"
36type = "threshold"
37
38query = '''
39event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
40event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1110"
48name = "Brute Force"
49reference = "https://attack.mitre.org/techniques/T1110/"
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"
56
57[rule.threshold]
58field = ["source.ip"]
59value = 25