Create azure_aad_secops _signin_failure_bad_password_threshold.yml
This commit is contained in:
Corissa Lea Koopmans
@@ -0,0 +1,27 @@
|
||||
title: Sign-in failure Bad Password Threshold
|
||||
id: dff74231-dbed-42ab-ba49-83289be2ac3a
|
||||
description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
|
||||
author: Corissa Koopmans, '@corissalea'
|
||||
date: 2022/04/21
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
|
||||
logsource:
|
||||
product: azure
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection:
|
||||
ResultType: 50126
|
||||
ResultDescription: Invalid username or password or Invalid on-premises username or password.
|
||||
filter_computer:
|
||||
TargetUserName|endswith: '$'
|
||||
condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10
|
||||
falsepositives:
|
||||
- Failed Azure AD Connect Synchronization
|
||||
- Service account use with an incorrect password specified
|
||||
- Misconfigured systems
|
||||
- Vulnerability scanners
|
||||
level: high
|
||||
status: experimental
|
||||
tags:
|
||||
- attack.bruteforce
|
||||
- attack.t1110
|
||||
Reference in New Issue
Block a user