O365 Excessive Single Sign-On Logon Errors

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["o365"]
 4maturity = "production"
 5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
 6min_stack_version = "8.8.0"
 7updated_date = "2024/04/02"
 8
 9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an
13attempt to brute force a password or SSO token.
14"""
15false_positives = [
16    """
17    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
18    positives.
19    """,
20]
21from = "now-20m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "O365 Excessive Single Sign-On Logon Errors"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29risk_score = 73
30rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
31severity = "high"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
33type = "threshold"
34timestamp_override = "event.ingested"
35
36query = '''
37event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1110"
45name = "Brute Force"
46reference = "https://attack.mitre.org/techniques/T1110/"
47
48
49[rule.threat.tactic]
50id = "TA0006"
51name = "Credential Access"
52reference = "https://attack.mitre.org/tactics/TA0006/"
53
54[rule.threshold]
55field = ["user.id"]
56value = 5