⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search will detect more than 5 login failures in Office365 Azure Active Directory from a single source IP address. Please adjust the threshold value of 5 as suited for your environment.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Author: Bhavin Patel, Splunk
  • ID: 7f398cfb-918d-41f4-8db8-2e2474e02222

ATT&CK

ID Technique Tactic
T1110.001 Password Guessing Credential Access
T1110 Brute Force Credential Access
`o365_management_activity` Operation=UserLoginFailed  record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory 
| stats count dc(user) as accounts_locked values(user) as user values(LogonError) as LogonError values(authentication_method) as authentication_method values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type Operation app 
| search accounts_locked >= 5
| `high_number_of_login_failures_from_a_single_source_filter`

Associated Analytic Story

How To Implement

Required field

  • _time
  • Operation
  • record_type
  • app
  • user
  • LogonError
  • authentication_method
  • signature
  • UserAgent
  • src_ip
  • record_type

Kill Chain Phase

  • Actions on Objectives

Known False Positives

unknown

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1