From 36d595ae2fb292e0c1e2bd017c07c586acdb2122 Mon Sep 17 00:00:00 2001
From: James Valente <65730960+jvalente-salemstate@users.noreply.github.com>
Date: Tue, 6 May 2025 13:13:15 -0400
Subject: [PATCH] [Rule Tuning] Add exceptions for non-interactive signin
 failures for Entra M365 Bruteforce (#4405)

* Add exceptions for non-interactive signin failures.

Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:

- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled

* Update rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml

* Update metadata for `updated_date`

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
---
 ...ntial_access_entra_signin_brute_force_microsoft_365.toml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
index dd16980f8..e441b5a2a 100644
--- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
+++ b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
@@ -2,7 +2,8 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/03/20"
+updated_date = "2025/04/18"
+
 
 [rule]
 author = ["Elastic"]
@@ -91,6 +92,9 @@ from logs-azure.signinlogs*
   and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
   and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
   and event.outcome != "success"
+  and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
+      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
+      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken")) 
   // for tuning review azure.signinlogs.properties.status.error_code
   // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes