Login to Disabled Account

Detect failed attempts to sign in to disabled accounts.

Sigma rule (View on GitHub)

 1title: Login to Disabled Account
 2id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
 3status: test
 4description: Detect failed attempts to sign in to disabled accounts.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: AlertIQ
 8date: 2021/10/10
 9modified: 2022/12/25
10tags:
11    - attack.initial_access
12    - attack.t1078.004
13logsource:
14    product: azure
15    service: signinlogs
16detection:
17    selection:
18        ResultType: 50057
19        ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
20    condition: selection
21falsepositives:
22    - Unknown
23level: medium

References

Related rules

to-top