From b5a47ef9675c7efba3aa4e4246a3f30f1b3d86f3 Mon Sep 17 00:00:00 2001
From: Corissa Lea Koopmans <33907780+Corissalea@users.noreply.github.com>
Date: Mon, 30 May 2022 05:35:52 -0500
Subject: [PATCH] Create azure_aad_secops
 _signin_failure_bad_password_threshold.yml

---
 ..._signin_failure_bad_password_threshold.yml | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml

diff --git a/rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml b/rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml
new file mode 100644
index 000000000..89e333ff3
--- /dev/null
+++ b/rules/cloud/azure/azure_aad_secops _signin_failure_bad_password_threshold.yml	
@@ -0,0 +1,27 @@
+title: Sign-in failure Bad Password Threshold
+id: dff74231-dbed-42ab-ba49-83289be2ac3a
+description: Define a baseline threshold and then monitor and adjust to suit your organizational behaviors and limit false alerts from being generated.
+author: Corissa Koopmans, '@corissalea'
+date: 2022/04/21
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
+logsource:
+  product: azure
+  service: signinlogs
+detection:
+  selection:
+    ResultType: 50126
+    ResultDescription: Invalid username or password or Invalid on-premises username or password.
+  filter_computer:
+    TargetUserName|endswith: '$'
+  condition: selection and not filter_computer | count(TargetUserName) by IpAddress > 10
+falsepositives:
+  - Failed Azure AD Connect Synchronization
+  - Service account use with an incorrect password specified
+  - Misconfigured systems
+  - Vulnerability scanners
+level: high
+status: experimental
+tags:
+  - attack.bruteforce
+  - attack.t1110