[Rule Tuning] Attempts to Brute Force a Microsoft 365 User Account (#1251)

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* add authors

rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/30"
 maturity = "production"
-updated_date = "2021/06/09"
+updated_date = "2021/06/15"
 
 [rule]
-author = ["Elastic"]
+author = ["Elastic", "Willem D'Haese", "Austin Songer"]
 description = """
 Identifies attempts to brute force a Microsoft 365 user account. An adversary may attempt a brute force attack to obtain
 unauthorized access to user accounts.
@@ -23,6 +23,7 @@ name = "Attempts to Brute Force a Microsoft 365 User Account"
 note = """## Config
 
 The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"]
 risk_score = 73
 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d"
 severity = "high"
@@ -30,8 +31,10 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps",
 type = "threshold"
 
 query = '''
-event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and 
-event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") and event.outcome:failure
+event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and
+  event.category:authentication and event.action:(UserLoginFailed or PasswordLogonInitialAuthUsingPassword) and
+  not o365.audit.LogonError:(UserAccountNotFound or EntitlementGrantsNotFound or UserStrongAuthEnrollmentRequired or
+                             UserStrongAuthClientAuthNRequired or InvalidReplyTo) and event.outcome:failure
 '''