From c215c44809ff2747fb54a7fc55b534f0b05c24e5 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Tue, 22 Jun 2021 12:36:13 -0500 Subject: [PATCH] [Rule Tuning] Potential password spraying of microsoft 365 user accounts (#1164) * Update impact_iam_deactivate_mfa_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...s_microsoft_365_potential_password_spraying_attack.toml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml index ddc55dae8..02f923c55 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/05/24" [rule] author = ["Elastic"] @@ -31,10 +31,10 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", type = "threshold" query = ''' -event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and event.action:UserLoginFailed and event.outcome:failure +event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and +event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure ''' - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -51,4 +51,3 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = ["source.ip"] value = 25 -