Potential Password Spraying of Microsoft 365 User Accounts

 1[metadata]
 2creation_date = "2020/12/01"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies a high number (25) of failed Microsoft 365 user authentication attempts from a single IP address within 30
11minutes, which could be indicative of a password spraying attack. An adversary may attempt a password spraying attack to
12obtain unauthorized access to user accounts.
13"""
14false_positives = [
15    """
16    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
17    positives.
18    """,
19]
20from = "now-30m"
21index = ["filebeat-*", "logs-o365*"]
22language = "kuery"
23license = "Elastic License v2"
24name = "Potential Password Spraying of Microsoft 365 User Accounts"
25note = """## Setup
26
27The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
28risk_score = 73
29rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d"
30severity = "high"
31tags = [
32    "Domain: Cloud",
33    "Data Source: Microsoft 365",
34    "Use Case: Identity and Access Audit",
35    "Tactic: Credential Access",
36]
37timestamp_override = "event.ingested"
38type = "threshold"
39
40query = '''
41event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
42event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1110"
50name = "Brute Force"
51reference = "https://attack.mitre.org/techniques/T1110/"
52
53
54[rule.threat.tactic]
55id = "TA0006"
56name = "Credential Access"
57reference = "https://attack.mitre.org/tactics/TA0006/"
58
59[rule.threshold]
60field = ["source.ip"]
61value = 25