O365 Excessive Single Sign-On Logon Errors

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = """
10Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an
11attempt to brute force a password or SSO token.
12"""
13false_positives = [
14    """
15    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
16    positives.
17    """,
18]
19from = "now-20m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "O365 Excessive Single Sign-On Logon Errors"
24note = """## Setup
25
26The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
27risk_score = 73
28rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
29severity = "high"
30tags = [
31    "Domain: Cloud",
32    "Data Source: Microsoft 365",
33    "Use Case: Identity and Access Audit",
34    "Tactic: Credential Access",
35]
36timestamp_override = "event.ingested"
37type = "threshold"
38
39query = '''
40event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1110"
48name = "Brute Force"
49reference = "https://attack.mitre.org/techniques/T1110/"
50
51
52[rule.threat.tactic]
53id = "TA0006"
54name = "Credential Access"
55reference = "https://attack.mitre.org/tactics/TA0006/"
56
57[rule.threshold]
58field = ["user.id"]
59value = 5