O365 Excessive Single Sign-On Logon Errors
Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/05/17"
3integration = ["o365"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.8.0 for Microsoft 365 Integration."
6min_stack_version = "8.8.0"
7updated_date = "2024/04/02"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an
13attempt to brute force a password or SSO token.
14"""
15false_positives = [
16 """
17 Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
18 positives.
19 """,
20]
21from = "now-20m"
22index = ["filebeat-*", "logs-o365*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "O365 Excessive Single Sign-On Logon Errors"
26note = """## Setup
27
28The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
29risk_score = 73
30rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
31severity = "high"
32tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
33type = "threshold"
34timestamp_override = "event.ingested"
35
36query = '''
37event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
38'''
39
40
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1110"
45name = "Brute Force"
46reference = "https://attack.mitre.org/techniques/T1110/"
47
48
49[rule.threat.tactic]
50id = "TA0006"
51name = "Credential Access"
52reference = "https://attack.mitre.org/tactics/TA0006/"
53
54[rule.threshold]
55field = ["user.id"]
56value = 5
Setup
The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
Related rules
- Attempts to Brute Force a Microsoft 365 User Account
- Potential Password Spraying of Microsoft 365 User Accounts
- Microsoft 365 Exchange Management Group Role Assignment
- Microsoft 365 Exchange Safe Link Policy Disabled
- Microsoft 365 Global Administrator Role Assigned