Increased Failed Authentications Of Any Type

Aug 12, 2024 · attack.defense-evasion attack.t1078 ·

Detects when sign-ins increased by 10% or greater.

Sigma rule (View on GitHub)

 1title: Increased Failed Authentications Of Any Type
 2id: e1d02b53-c03c-4948-b11d-4d00cca49d03
 3status: test
 4description: Detects when sign-ins increased by 10% or greater.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
 7author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
 8date: 2022-08-11
 9tags:
10    - attack.defense-evasion
11    - attack.t1078
12logsource:
13    product: azure
14    service: signinlogs
15detection:
16    selection:
17        Status: failure
18        Count: "<10%"
19    condition: selection
20falsepositives:
21    - Unlikely
22level: medium

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Increased Failed Authentications Of Any Type

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules