From 3d6cefb296a4d6e640700019f5be5c28d5eec5f8 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 15 Jun 2021 08:20:20 -0500 Subject: [PATCH] [Rule Tuning] Attempts to brute force a microsoft 365 user account (#1163) Update rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> (cherry picked from commit 546e43071c6951db527b53e0edcdf03fd3471eef) --- ...cess_microsoft_365_brute_force_user_account_attempt.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 9ed5bcec4..a9d84520e 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/06/09" [rule] author = ["Elastic"] @@ -30,7 +30,8 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", type = "threshold" query = ''' -event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure +event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and +event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure ''' @@ -50,4 +51,3 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = ["user.id"] value = 10 -