security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163)

Browse Source 
Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 546e43071c)
This commit is contained in:
Austin Songer
2021-06-15 08:20:20 -05:00
committed by github-actions[bot]
parent 8b3d085f73
commit 3d6cefb296
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
+3 -3
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2020/11/30"
maturity = "production"
updated_date = "2021/05/10"
updated_date = "2021/06/09"
[rule]
author = ["Elastic"]
@@ -30,7 +30,8 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps",
type = "threshold"
query = '''
event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure
event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and
event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure
'''
@@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/tactics/TA0006/"
[rule.threshold]
field = ["user.id"]
value = 10