O365 Excessive Authentication Failures Alert
Description
This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication
- Last Updated: 2022-02-18
- Author: Rod Soto, Splunk
- ID: d441364c-349c-453b-b55f-12eccab67cf9
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=failure
| stats count earliest(_time) AS firstTime latest(_time) AS lastTime values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user
| where count > 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_excessive_authentication_failures_alert_filter`
Macros
The SPL above uses the following Macros:
o365_excessive_authentication_failures_alert_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Workload
- UserAuthenticationMethod
- status
- UserAgent
- src_ip
- user
How To Implement
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
The threshold for alert is above 10 attempts and this should reduce the number of false positives.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 64.0 | 80 | 80 | User $user$ has caused excessive number of authentication failures from $src_ip$ using UserAgent $UserAgent$. |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2