Increased Failed Authentications Of Any Type
Detects when sign-ins increased by 10% or greater.
Sigma rule (View on GitHub)
1title: Increased Failed Authentications Of Any Type
2id: e1d02b53-c03c-4948-b11d-4d00cca49d03
3status: test
4description: Detects when sign-ins increased by 10% or greater.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
7author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
8date: 2022/08/11
9tags:
10 - attack.defense_evasion
11 - attack.t1078
12logsource:
13 product: azure
14 service: signinlogs
15detection:
16 selection:
17 Status: failure
18 Count: "<10%"
19 condition: selection
20falsepositives:
21 - Unlikely
22level: medium
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Measurable Increase Of Successful Authentications