security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] O365 Excessive Single Sign-On Logon Errors (#1680)

Browse Source 
* Change event.category to authentication

The original had the event.category as "web" the correct value is "authentication"

* Changed updated_date to todays date

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
This commit is contained in:
Trevor Miller
2022-01-20 03:32:30 -08:00
committed by GitHub
parent 865771886e
commit 101b781bef
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/05/17"
maturity = "production"
updated_date = "2021/10/11"
updated_date = "2021/12/30"
integration = "o365"
[rule]
@@ -32,7 +32,7 @@ type = "threshold"
query = '''
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:web and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired"
'''