security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/cloud/azure/azure_ad_auth_failure_increase.yml
T
Mark Morowczynski 7a5d715d83 Last remaining AAD SecOps Guide rules (#3364) 
* Last remaining AAD SecOps Guide rules
2022-08-17 20:57:58 +02:00

22 lines
672 B
YAML
Raw Blame History

title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: experimental
description: Detects when sign-ins increased by 10% or greater.
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: failure
Count: "<10%"
condition: selection
falsepositives:
- Unlikely
tags:
- attack.valid_accounts
- attack.t1078
level: medium
Reference in New Issue View Git Blame Copy Permalink