[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce (#4405)

* Add exceptions for non-interactive signin failures. Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes: - 70043 : Refresh token expired or no longer valid due to conditional access frequency checks - 70044 : Session expired or no longer valid due to conditional access frequency checks - 50057 : User account is disabled * Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml * Update metadata for `updated_date` --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
2025-05-06 13:13:15 -04:00
parent 3a601a10fb
commit 36d595ae2f
1 changed files with 5 additions and 1 deletions
@@ -2,7 +2,8 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/04/18"
+

 [rule]
 author = ["Elastic"]
@@ -91,6 +92,9 @@ from logs-azure.signinlogs*
  and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
  and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
  and event.outcome != "success"
+  and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
+      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
+      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken")) 
  // for tuning review azure.signinlogs.properties.status.error_code
  // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes