O365 Excessive Single Sign-On Logon Errors

Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an attempt to brute force a password or SSO token.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/05/17"
 3integration = ["o365"]
 4maturity = "production"
 5updated_date = "2025/01/15"
 6
 7[rule]
 8author = ["Elastic", "Austin Songer"]
 9description = """
10Identifies accounts with a high number of single sign-on (SSO) logon errors. Excessive logon errors may indicate an
11attempt to brute force a password or SSO token.
12"""
13false_positives = [
14    """
15    Automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false
16    positives.
17    """,
18]
19from = "now-20m"
20index = ["filebeat-*", "logs-o365*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "O365 Excessive Single Sign-On Logon Errors"
24note = """## Triage and analysis
25
26> **Disclaimer**:
27> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
28
29### Investigating O365 Excessive Single Sign-On Logon Errors
30
31Single Sign-On (SSO) in O365 streamlines user access by allowing one set of credentials for multiple applications. However, adversaries may exploit this by attempting brute force attacks to gain unauthorized access. The detection rule monitors for frequent SSO logon errors, signaling potential abuse, and helps identify compromised accounts by flagging unusual authentication patterns.
32
33### Possible investigation steps
34
35- Review the specific account(s) associated with the excessive SSO logon errors by examining the event logs filtered by the query fields, particularly focusing on the o365.audit.LogonError field with the value "SsoArtifactInvalidOrExpired".
36- Analyze the timestamps of the logon errors to determine if there is a pattern or specific time frame when the errors are occurring, which might indicate a targeted attack.
37- Check for any recent changes or unusual activities in the affected account(s), such as password changes, unusual login locations, or device changes, to assess if the account might be compromised.
38- Investigate the source IP addresses associated with the logon errors to identify if they are from known malicious sources or unusual locations for the user.
39- Correlate the logon error events with other security alerts or logs from the same time period to identify any related suspicious activities or potential indicators of compromise.
40- Contact the user(s) of the affected account(s) to verify if they experienced any issues with their account access or if they recognize the logon attempts, which can help determine if the activity is legitimate or malicious.
41
42### False positive analysis
43
44- High volume of legitimate user logins: Users who frequently log in and out of multiple O365 applications may trigger excessive logon errors. To manage this, create exceptions for known high-activity accounts.
45- Automated scripts or applications: Some automated processes may use outdated or incorrect credentials, leading to repeated logon errors. Identify and update these scripts to prevent false positives.
46- Password changes: Users who recently changed their passwords might experience logon errors if they have not updated their credentials across all devices and applications. Encourage users to update their credentials promptly.
47- Network issues: Temporary network disruptions can cause authentication errors. Monitor network stability and consider excluding errors during known network maintenance periods.
48- Multi-factor authentication (MFA) misconfigurations: Incorrect MFA settings can lead to logon errors. Verify and correct MFA configurations for affected users to reduce false positives.
49
50### Response and remediation
51
52- Immediately isolate the affected account by disabling it to prevent further unauthorized access attempts.
53- Conduct a password reset for the compromised account and enforce a strong password policy to mitigate the risk of future brute force attacks.
54- Review and analyze the account's recent activity logs to identify any unauthorized access or data exfiltration attempts.
55- Implement multi-factor authentication (MFA) for the affected account and other high-risk accounts to add an additional layer of security.
56- Notify the user of the affected account about the incident and provide guidance on recognizing phishing attempts and securing their credentials.
57- Escalate the incident to the security operations team for further investigation and to determine if additional accounts or systems have been compromised.
58- Update and enhance monitoring rules to detect similar patterns of excessive SSO logon errors, ensuring early detection of potential brute force attempts.
59
60## Setup
61
62The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
63risk_score = 73
64rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0"
65severity = "high"
66tags = [
67    "Domain: Cloud",
68    "Data Source: Microsoft 365",
69    "Use Case: Identity and Access Audit",
70    "Tactic: Credential Access",
71    "Resources: Investigation Guide",
72]
73timestamp_override = "event.ingested"
74type = "threshold"
75
76query = '''
77event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1110"
85name = "Brute Force"
86reference = "https://attack.mitre.org/techniques/T1110/"
87
88
89[rule.threat.tactic]
90id = "TA0006"
91name = "Credential Access"
92reference = "https://attack.mitre.org/tactics/TA0006/"
93
94[rule.threshold]
95field = ["user.id"]
96value = 5

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating O365 Excessive Single Sign-On Logon Errors

Single Sign-On (SSO) in O365 streamlines user access by allowing one set of credentials for multiple applications. However, adversaries may exploit this by attempting brute force attacks to gain unauthorized access. The detection rule monitors for frequent SSO logon errors, signaling potential abuse, and helps identify compromised accounts by flagging unusual authentication patterns.

Possible investigation steps

  • Review the specific account(s) associated with the excessive SSO logon errors by examining the event logs filtered by the query fields, particularly focusing on the o365.audit.LogonError field with the value "SsoArtifactInvalidOrExpired".
  • Analyze the timestamps of the logon errors to determine if there is a pattern or specific time frame when the errors are occurring, which might indicate a targeted attack.
  • Check for any recent changes or unusual activities in the affected account(s), such as password changes, unusual login locations, or device changes, to assess if the account might be compromised.
  • Investigate the source IP addresses associated with the logon errors to identify if they are from known malicious sources or unusual locations for the user.
  • Correlate the logon error events with other security alerts or logs from the same time period to identify any related suspicious activities or potential indicators of compromise.
  • Contact the user(s) of the affected account(s) to verify if they experienced any issues with their account access or if they recognize the logon attempts, which can help determine if the activity is legitimate or malicious.

False positive analysis

  • High volume of legitimate user logins: Users who frequently log in and out of multiple O365 applications may trigger excessive logon errors. To manage this, create exceptions for known high-activity accounts.
  • Automated scripts or applications: Some automated processes may use outdated or incorrect credentials, leading to repeated logon errors. Identify and update these scripts to prevent false positives.
  • Password changes: Users who recently changed their passwords might experience logon errors if they have not updated their credentials across all devices and applications. Encourage users to update their credentials promptly.
  • Network issues: Temporary network disruptions can cause authentication errors. Monitor network stability and consider excluding errors during known network maintenance periods.
  • Multi-factor authentication (MFA) misconfigurations: Incorrect MFA settings can lead to logon errors. Verify and correct MFA configurations for affected users to reduce false positives.

Response and remediation

  • Immediately isolate the affected account by disabling it to prevent further unauthorized access attempts.
  • Conduct a password reset for the compromised account and enforce a strong password policy to mitigate the risk of future brute force attacks.
  • Review and analyze the account's recent activity logs to identify any unauthorized access or data exfiltration attempts.
  • Implement multi-factor authentication (MFA) for the affected account and other high-risk accounts to add an additional layer of security.
  • Notify the user of the affected account about the incident and provide guidance on recognizing phishing attempts and securing their credentials.
  • Escalate the incident to the security operations team for further investigation and to determine if additional accounts or systems have been compromised.
  • Update and enhance monitoring rules to detect similar patterns of excessive SSO logon errors, ensuring early detection of potential brute force attempts.

Setup

The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Related rules

to-top