From 34294fbe6de810c7f2a01f3d16a0929c72b40a2f Mon Sep 17 00:00:00 2001
From: James Valente <65730960+jvalente-salemstate@users.noreply.github.com>
Date: Thu, 30 May 2024 04:12:36 -0400
Subject: [PATCH] Add exceptions to brute force threshold rule. (#3712)

High volume, machine generated failures or MFA interruptions have been added to the rule.

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
---
 ...cess_microsoft_365_brute_force_user_account_attempt.toml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
index eefc98fb4..2edd8b372 100644
--- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
+++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/11/30"
 integration = ["o365"]
 maturity = "production"
-updated_date = "2024/05/21"
+updated_date = "2024/05/24"
 
 [rule]
 author = ["Elastic", "Willem D'Haese", "Austin Songer"]
@@ -41,7 +41,9 @@ query = '''
 event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
   event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
   not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
-                             UserStrongAuthClientAuthNRequired or InvalidReplyTo)
+                             UserStrongAuthClientAuthNRequired or InvalidReplyTo or SsoArtifactExpiredDueToConditionalAccess or
+                             PasswordResetRegistrationRequiredInterrupt or SsoUserAccountNotFoundInResourceTenant or
+                             UserStrongAuthExpired)
 '''