Try in Splunk Security Cloud

Description

This analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. Specifically, it identifies scenarios where there are more than 10 unsuccessful login attempts within a short time frame. The detection leverages Office365 management activity logs, specifically the AzureActiveDirectoryStsLogon records from the AzureActiveDirectory workload. It aggregates these logs in 5-minute intervals to count the number of failed login attempts and associates them with the originating source IP address. Multiple failed login attempts from a single source can be indicative of brute-force attacks, password spraying, or other malicious authentication attempts. Identifying and responding to these patterns promptly can prevent unauthorized access and potential breaches. If this detection represents a true positive, an attacker might be attempting to gain unauthorized access to an Office365 account. Successful compromise could lead to unauthorized access to sensitive data, potential lateral movement within the organization, or further malicious activities using the compromised account.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2020-12-16
  • Author: Bhavin Patel, Mauricio Velazco, Splunk
  • ID: 7f398cfb-918d-41f4-8db8-2e2474e02222

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1110.001 Password Guessing Credential Access
T1110 Brute Force Credential Access
Kill Chain Phase
  • Exploitation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE
1
2
3
4
5
`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon 
| bucket span=5m _time 
| stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip 
| where failed_attempts > 10 
| `high_number_of_login_failures_from_a_single_source_filter`

Macros

The SPL above uses the following Macros:

:information_source: high_number_of_login_failures_from_a_single_source_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Operation
  • record_type
  • app
  • user
  • LogonError
  • authentication_method
  • signature
  • UserAgent
  • src_ip
  • record_type

How To Implement

You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.

Known False Positives

An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
25.0 50 50 Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2