Login to Disabled Account
Detect failed attempts to sign in to disabled accounts.
Sigma rule (View on GitHub)
1title: Login to Disabled Account
2id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
3status: test
4description: Detect failed attempts to sign in to disabled accounts.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021-10-10
9modified: 2022-12-25
10tags:
11 - attack.privilege-escalation
12 - attack.persistence
13 - attack.defense-evasion
14 - attack.initial-access
15 - attack.t1078.004
16logsource:
17 product: azure
18 service: signinlogs
19detection:
20 selection:
21 ResultType: 50057
22 ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
23 condition: selection
24falsepositives:
25 - Unknown
26level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- AWS IAM S3Browser LoginProfile Creation
- AWS IAM S3Browser Templated S3 Bucket Policy Creation
- AWS IAM S3Browser User or AccessKey Creation
- AWS Root Credentials
- AWS SAML Provider Deletion Activity