Sign-in Failure Bad Password Threshold
Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
Sigma rule (View on GitHub)
1title: Sign-in Failure Bad Password Threshold
2id: dff74231-dbed-42ab-ba49-83289be2ac3a
3status: unsupported
4description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
7author: Corissa Koopmans, '@corissalea'
8date: 2022/04/21
9modified: 2023/03/24
10tags:
11 - attack.credential_access
12 - attack.t1110
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 ResultType: 50126
19 ResultDescription: Invalid username or password or Invalid on-premises username or password.
20 filter_computer:
21 TargetUserName|endswith: '$'
22 condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10
23falsepositives:
24 - Failed Azure AD Connect Synchronization
25 - Service account use with an incorrect password specified
26 - Misconfigured systems
27 - Vulnerability scanners
28level: high
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Failed Logins with Different Accounts from Single Source - Linux
- External Remote Service Logon from Public IP
- Stored Credentials in Fake Files
- Possible Impacket GetUserSPNs Activity
- Mimikatz Command Line With Ticket Export