| ID | Technique | Tactic |
|---|---|---|
| T1078 | Valid Accounts | Defense Evasion |
Detection: O365 Multiple AppIDs and UserAgents Authentication Spike
Description
The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.
Search
1`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed)
2| bucket span=5m _time
3| stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) by _time user src_ip
4| where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2
5| `o365_multiple_appids_and_useragents_authentication_spike_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| O365 UserLoggedIn | N/A | 'o365:management:activity' |
'o365' |
N/A |
Macros Used
| Name | Value |
|---|---|
| o365_management_activity | sourcetype=o365:management:activity |
| o365_multiple_appids_and_useragents_authentication_spike_filter | search * |
o365_multiple_appids_and_useragents_authentication_spike_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.DELIVERY
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
APT18
APT28
APT29
APT33
APT39
APT41
Akira
Axiom
Carbanak
Chimera
Cinnamon Tempest
Dragonfly
FIN10
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
Ke3chang
LAPSUS$
Lazarus Group
Leviathan
OilRig
POLONIUM
PittyTiger
Sandworm Team
Silence
Silent Librarian
Suckfly
Threat Group-3390
Wizard Spider
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
Known False Positives
Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| $user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. | 48 | 60 | 80 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
| Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3