GitHub Repo

Detection: O365 Multiple AppIDs and UserAgents Authentication Spike

Updated Date: 2026-05-13 ID: 66adc486-224d-45c1-8e4d-9e7eeaba988f Author: Mauricio Velazco, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies unusual authentication activity in an O365 environment, where a single user account experiences more than 8 authentication attempts using 3 or more unique application IDs and over 5 unique user agents within a short timeframe. It leverages O365 audit logs, focusing on authentication events and applying statistical thresholds. This behavior is significant as it may indicate an adversary probing for multi-factor authentication weaknesses. If confirmed malicious, it suggests a compromised account, potentially leading to unauthorized access, privilege escalation, and data exfiltration. Early detection is crucial to prevent further exploitation.

 1`o365_management_activity` Workload=AzureActiveDirectory (Operation=UserLoggedIn OR Operation=UserLoginFailed)
 2  
 3| bucket span=5m _time
 4  
 5| stats dc(_raw) as failed_attempts dc(ApplicationId) as unique_app_ids dc(UserAgent) as unique_user_agents values(ApplicationId) values(OS) values(signature) as signature
 6    BY _time user src
 7       vendor_account vendor_product dest
 8  
 9| where failed_attempts > 5 and unique_user_agents > 5 and unique_app_ids > 2
10  
11| `o365_multiple_appids_and_useragents_authentication_spike_filter`

Data Source

Name Platform Sourcetype Source
O365 UserLoginFailed Other 'o365:management:activity' 'o365'
O365 UserLoggedIn Other 'o365:management:activity' 'o365'

Macros Used

Name Value
o365_management_activity sourcetype=o365:management:activity
o365_multiple_appids_and_useragents_authentication_spike_filter search *
o365_multiple_appids_and_useragents_authentication_spike_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1078 Valid Accounts Initial Access
Delivery
Exploitation
Installation
DE.AE
CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Finding (Notable) No
Creates Intermediate Finding (Risk Event) Yes
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.

Implementation

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.

Known False Positives

Rapid authentication from the same user using more than 5 different user agents and 3 application IDs is highly unlikely under normal circumstances. However, there are potential scenarios that could lead to false positives.

Associated Analytic Story

Intermediate Findings

Message Entity Field Entity Type Risk Score
$user$ authenticated in a short period of time with more than 5 different user agents across 3 or more unique application ids. user user 20

Threat Objects

Field Type
src ip_address

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset o365 o365:management:activity
Integration ✅ Passing Dataset o365 o365:management:activity

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 11