⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This search will detect more than 5 login failures in Office365 Azure Active Directory from a single source IP address. Please adjust the threshold value of 5 as suited for your environment.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-12-16
- Author: Bhavin Patel, Splunk
- ID: 7f398cfb-918d-41f4-8db8-2e2474e02222
|T1110.001||Password Guessing||Credential Access|
`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user) as user values(LogonError) as LogonError values(authentication_method) as authentication_method values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type Operation app | search accounts_locked >= 5 | `high_number_of_login_failures_from_a_single_source_filter`
Associated Analytic Story
How To Implement
Kill Chain Phase
- Actions on Objectives
Known False Positives
source | version: 1