Entra ID Sign-in Brute Force Attempted (Microsoft 365)

Status: production
Severity: medium
Time window: 1h
Group by: Esql.time_window_date_trunc
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as Exchange Online, SharePoint, or Teams.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1110.001` Brute Force: Password Guessing, `T1110.003` Brute Force: Password Spraying, `T1110.004` Brute Force: Credential Stuffing

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Account Disabled or Blocked for Sign in Attempts (Sigma)
Account Lockout (Sigma)
Authentication Attempt from New Country (Kusto)
Azure AD High Number Of Failed Authentications For User (Splunk)
Azure AD High Number Of Failed Authentications From Ip (Splunk)
Azure AD Multi-Source Failed Authentications Spike (Splunk)
Azure AD Multiple Users Failing To Authenticate From Ip (Splunk)
Azure AD Unusual Number of Failed Authentications From Ip (Splunk)

Rule body elastic

[metadata]
creation_date = "2024/09/06"
integration = ["azure"]
maturity = "production"
updated_date = "2026/04/10"

[rule]
author = ["Elastic"]
description = """
Identifies potential brute-force attacks targeting Microsoft 365 user accounts by analyzing failed sign-in patterns in
Microsoft Entra ID Sign-In Logs. This detection focuses on a high volume of failed interactive or non-interactive
authentication attempts within a short time window, often indicative of password spraying, credential stuffing, or
password guessing. Adversaries may use these techniques to gain unauthorized access to Microsoft 365 services such as
Exchange Online, SharePoint, or Teams.
"""
false_positives = [
    """
    Automated processes that attempt to authenticate using expired credentials or have misconfigured authentication
    settings may lead to false positives.
    """,
]
from = "now-60m"
interval = "15m"
language = "esql"
license = "Elastic License v2"
name = "Entra ID Sign-in Brute Force Attempted (Microsoft 365)"
note = """## Triage and analysis

### Investigating Entra ID Sign-in Brute Force Attempted (Microsoft 365)

Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage.

### Possible investigation steps

- Review `bf_type`: Classifies the brute-force behavior (`password_spraying`, `credential_stuffing`, `password_guessing`).
- Examine `user_id_list`: Review the identities targeted. Are they admins, service accounts, or external identities?
- Review `login_errors`: Multiple identical errors (e.g., `"Invalid grant..."`) suggest automated abuse or tooling.
- Check `ip_list` and `source_orgs`: Determine if requests came from known VPNs, hosting providers, or anonymized infrastructure.
- Validate `unique_ips` and `countries`: Multiple countries or IPs in a short window may indicate credential stuffing or distributed spray attempts.
- Compare `total_attempts` vs `duration_seconds`: High volume over a short duration supports non-human interaction.
- Inspect `user_agent.original` via `device_detail_browser`: Clients like `Python Requests` or `curl` are highly suspicious.
- Investigate `client_app_display_name` and `incoming_token_type`: Identify non-browser-based logins, token abuse or commonly mimicked clients like VSCode.
- Review `target_resource_display_name`: Confirm the service being targeted (e.g., SharePoint, Exchange). This may be what authorization is being attempted against.
- Pivot using `session_id` and `device_detail_device_id`: Determine if a single device is spraying multiple accounts.
- Check `conditional_access_status`: If "notApplied", determine whether conditional access is properly scoped.
- Correlate `user_principal_name` with successful sign-ins: Investigate surrounding logs for lateral movement or privilege abuse.

### False positive analysis

- Developer automation (e.g., CI/CD logins) or mobile sync errors may create noisy but benign login failures.
- Red team exercises or pentesting can resemble brute-force patterns.
- Legacy protocols or misconfigured service principals may trigger repeated login failures from the same IP or session.

### Response and remediation

- Notify identity or security operations teams to investigate further.
- Lock or reset affected user accounts if compromise is suspected.
- Block the source IP(s) or ASN temporarily using conditional access or firewall rules.
- Review tenant-wide MFA and conditional access enforcement.
- Audit targeted accounts for password reuse across systems or tenants.
- Enable lockout or throttling policies for repeated failed login attempts.
"""
references = [
    "https://cloud.hacktricks.xyz/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-password-spraying",
    "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray",
    "https://learn.microsoft.com/en-us/purview/audit-log-detailed-properties",
    "https://securityscorecard.com/research/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks/",
    "https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes",
    "https://github.com/0xZDH/Omnispray",
    "https://github.com/0xZDH/o365spray",
]
risk_score = 47
rule_id = "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc"
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: SaaS",
    "Domain: Identity",
    "Data Source: Azure",
    "Data Source: Entra ID",
    "Data Source: Entra ID Sign-in Logs",
    "Use Case: Identity and Access Audit",
    "Use Case: Threat Detection",
    "Tactic: Credential Access",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-azure.signinlogs-*

| eval
    Esql.time_window_date_trunc = date_trunc(15 minutes, @timestamp),
    Esql_priv.azure_signinlogs_properties_user_principal_name_lower = to_lower(azure.signinlogs.properties.user_principal_name),
    Esql.azure_signinlogs_properties_incoming_token_type_lower = to_lower(azure.signinlogs.properties.incoming_token_type),
    Esql.azure_signinlogs_properties_app_display_name_lower = to_lower(azure.signinlogs.properties.app_display_name),
    Esql.user_agent_original = user_agent.original

| where data_stream.dataset == "azure.signinlogs"
    and event.category == "authentication"
    and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
    and azure.signinlogs.properties.resource_display_name rlike "(.*)365|SharePoint|Exchange|Teams|Office(.*)"
    and event.outcome == "failure"
    and azure.signinlogs.properties.status.error_code != 50053
    and azure.signinlogs.properties.status.error_code in (
        50034,  // UserAccountNotFound
        50126,  // InvalidUsernameOrPassword
        50055,  // PasswordExpired
        50056,  // InvalidPassword
        50057,  // UserDisabled
        50064,  // CredentialValidationFailure
        50076,  // MFARequiredButNotPassed
        50079,  // MFARegistrationRequired
        50105,  // EntitlementGrantsNotFound
        70000,  // InvalidGrant
        70008,  // ExpiredOrRevokedRefreshToken
        70043,  // BadTokenDueToSignInFrequency
        80002,  // OnPremisePasswordValidatorRequestTimedOut
        80005,  // OnPremisePasswordValidatorUnpredictableWebException
        50144,  // InvalidPasswordExpiredOnPremPassword
        50135,  // PasswordChangeCompromisedPassword
        50142,  // PasswordChangeRequiredConditionalAccess
        120000, // PasswordChangeIncorrectCurrentPassword
        120002, // PasswordChangeInvalidNewPasswordWeak
        120020  // PasswordChangeFailure
    )
    and azure.signinlogs.properties.user_principal_name is not null
    and azure.signinlogs.properties.user_principal_name != ""
    and user_agent.original != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0"

| stats
    Esql.azure_signinlogs_properties_authentication_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
    Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),
    Esql.azure_signinlogs_properties_app_display_name_values = values(azure.signinlogs.properties.app_display_name),
    Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
    Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
    Esql.azure_signinlogs_properties_conditional_access_status_values = values(azure.signinlogs.properties.conditional_access_status),
    Esql.azure_signinlogs_properties_device_detail_browser_values = values(azure.signinlogs.properties.device_detail.browser),
    Esql.azure_signinlogs_properties_device_detail_device_id_values = values(azure.signinlogs.properties.device_detail.device_id),
    Esql.azure_signinlogs_properties_device_detail_operating_system_values = values(azure.signinlogs.properties.device_detail.operating_system),
    Esql.azure_signinlogs_properties_incoming_token_type_values = values(azure.signinlogs.properties.incoming_token_type),
    Esql.azure_signinlogs_properties_risk_state_values = values(azure.signinlogs.properties.risk_state),
    Esql.azure_signinlogs_properties_session_id_values = values(azure.signinlogs.properties.session_id),
    Esql.azure_signinlogs_properties_user_id_values = values(azure.signinlogs.properties.user_id),
    Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
    Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),
    Esql.azure_signinlogs_result_signature_values = values(azure.signinlogs.result_signature),
    Esql.azure_signinlogs_result_type_values = values(azure.signinlogs.result_type),

    Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct = count_distinct(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),
    Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values = values(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),
    Esql.azure_signinlogs_result_description_count_distinct = count_distinct(azure.signinlogs.result_description),
    Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),
    Esql.azure_signinlogs_properties_status_error_code_count_distinct = count_distinct(azure.signinlogs.properties.status.error_code),
    Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
    Esql.azure_signinlogs_properties_incoming_token_type_lower_values = values(Esql.azure_signinlogs_properties_incoming_token_type_lower),
    Esql.azure_signinlogs_properties_app_display_name_lower_values = values(Esql.azure_signinlogs_properties_app_display_name_lower),
    Esql.source_ip_values = values(source.ip),
    Esql.source_ip_count_distinct = count_distinct(source.ip),
    Esql.source_as_organization_name_values = values(source.`as`.organization.name),
    Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),
    Esql.source_geo_country_name_values = values(source.geo.country_name),
    Esql.source_geo_country_name_count_distinct = count_distinct(source.geo.country_name),
    Esql.@timestamp.min = min(@timestamp),
    Esql.@timestamp.max = max(@timestamp),
    Esql.event_count = count()
by Esql.time_window_date_trunc

| eval
    Esql.event_duration_seconds = date_diff("seconds", Esql.@timestamp.min, Esql.@timestamp.max),
    Esql.event_bf_type = case(
        Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 10
            and Esql.event_count >= 30
            and Esql.azure_signinlogs_result_description_count_distinct <= 3
            and Esql.source_ip_count_distinct >= 5
            and Esql.event_duration_seconds <= 600
            and Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct > Esql.source_ip_count_distinct,
        "credential_stuffing",

        Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 15
            and Esql.azure_signinlogs_result_description_count_distinct == 1
            and Esql.event_count >= 15
            and Esql.event_duration_seconds <= 1800,
        "password_spraying",

        (Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct == 1
            and Esql.azure_signinlogs_result_description_count_distinct == 1
            and Esql.event_count >= 30
            and Esql.event_duration_seconds <= 300)
            or (Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct <= 3
            and Esql.source_ip_count_distinct > 30
            and Esql.event_count >= 100),
        "password_guessing",

        "other"
    )

| where Esql.event_bf_type != "other"

| keep
    Esql.time_window_date_trunc,
    Esql.event_bf_type,
    Esql.event_duration_seconds,
    Esql.event_count,
    Esql.@timestamp.min,
    Esql.@timestamp.max,
    Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct,
    Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values,
    Esql.azure_signinlogs_result_description_count_distinct,
    Esql.azure_signinlogs_result_description_values,
    Esql.azure_signinlogs_properties_status_error_code_count_distinct,
    Esql.azure_signinlogs_properties_status_error_code_values,
    Esql.azure_signinlogs_properties_incoming_token_type_lower_values,
    Esql.azure_signinlogs_properties_app_display_name_lower_values,
    Esql.source_ip_values,
    Esql.source_ip_count_distinct,
    Esql.source_as_organization_name_values,
    Esql.source_as_organization_name_count_distinct,
    Esql.source_geo_country_name_values,
    Esql.source_geo_country_name_count_distinct,
    Esql.azure_signinlogs_properties_authentication_requirement_values,
    Esql.azure_signinlogs_properties_app_id_values,
    Esql.azure_signinlogs_properties_app_display_name_values,
    Esql.azure_signinlogs_properties_resource_id_values,
    Esql.azure_signinlogs_properties_resource_display_name_values,
    Esql.azure_signinlogs_properties_conditional_access_status_values,
    Esql.azure_signinlogs_properties_device_detail_browser_values,
    Esql.azure_signinlogs_properties_device_detail_device_id_values,
    Esql.azure_signinlogs_properties_device_detail_operating_system_values,
    Esql.azure_signinlogs_properties_incoming_token_type_values,
    Esql.azure_signinlogs_properties_risk_state_values,
    Esql.azure_signinlogs_properties_session_id_values,
    Esql.azure_signinlogs_properties_user_id_values
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.001"
name = "Password Guessing"
reference = "https://attack.mitre.org/techniques/T1110/001/"

[[rule.threat.technique.subtechnique]]
id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"

[[rule.threat.technique.subtechnique]]
id = "T1110.004"
name = "Credential Stuffing"
reference = "https://attack.mitre.org/techniques/T1110/004/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

Stages and Predicates

Stage 1: `from`

from logs-azure.signinlogs-*

Stage 2: `eval`

| eval
    Esql.time_window_date_trunc = date_trunc(15 minutes, @timestamp),
    Esql_priv.azure_signinlogs_properties_user_principal_name_lower = to_lower(azure.signinlogs.properties.user_principal_name),
    Esql.azure_signinlogs_properties_incoming_token_type_lower = to_lower(azure.signinlogs.properties.incoming_token_type),
    Esql.azure_signinlogs_properties_app_display_name_lower = to_lower(azure.signinlogs.properties.app_display_name),
    Esql.user_agent_original = user_agent.original

Stage 3: `where`

| where data_stream.dataset == "azure.signinlogs"
    and event.category == "authentication"
    and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
    and azure.signinlogs.properties.resource_display_name rlike "(.*)365|SharePoint|Exchange|Teams|Office(.*)"
    and event.outcome == "failure"
    and azure.signinlogs.properties.status.error_code != 50053
    and azure.signinlogs.properties.status.error_code in (
        50034,
        50126,
        50055,
        50056,
        50057,
        50064,
        50076,
        50079,
        50105,
        70000,
        70008,
        70043,
        80002,
        80005,
        50144,
        50135,
        50142,
        120000,
        120002,
        120020
    )
    and azure.signinlogs.properties.user_principal_name is not null
    and azure.signinlogs.properties.user_principal_name != ""
    and user_agent.original != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0"

Stage 4: `stats`

| stats
    Esql.azure_signinlogs_properties_authentication_requirement_values = values(azure.signinlogs.properties.authentication_requirement),
    Esql.azure_signinlogs_properties_app_id_values = values(azure.signinlogs.properties.app_id),
    Esql.azure_signinlogs_properties_app_display_name_values = values(azure.signinlogs.properties.app_display_name),
    Esql.azure_signinlogs_properties_resource_id_values = values(azure.signinlogs.properties.resource_id),
    Esql.azure_signinlogs_properties_resource_display_name_values = values(azure.signinlogs.properties.resource_display_name),
    Esql.azure_signinlogs_properties_conditional_access_status_values = values(azure.signinlogs.properties.conditional_access_status),
    Esql.azure_signinlogs_properties_device_detail_browser_values = values(azure.signinlogs.properties.device_detail.browser),
    Esql.azure_signinlogs_properties_device_detail_device_id_values = values(azure.signinlogs.properties.device_detail.device_id),
    Esql.azure_signinlogs_properties_device_detail_operating_system_values = values(azure.signinlogs.properties.device_detail.operating_system),
    Esql.azure_signinlogs_properties_incoming_token_type_values = values(azure.signinlogs.properties.incoming_token_type),
    Esql.azure_signinlogs_properties_risk_state_values = values(azure.signinlogs.properties.risk_state),
    Esql.azure_signinlogs_properties_session_id_values = values(azure.signinlogs.properties.session_id),
    Esql.azure_signinlogs_properties_user_id_values = values(azure.signinlogs.properties.user_id),
    Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
    Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),
    Esql.azure_signinlogs_result_signature_values = values(azure.signinlogs.result_signature),
    Esql.azure_signinlogs_result_type_values = values(azure.signinlogs.result_type),

    Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct = count_distinct(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),
    Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values = values(Esql_priv.azure_signinlogs_properties_user_principal_name_lower),
    Esql.azure_signinlogs_result_description_count_distinct = count_distinct(azure.signinlogs.result_description),
    Esql.azure_signinlogs_result_description_values = values(azure.signinlogs.result_description),
    Esql.azure_signinlogs_properties_status_error_code_count_distinct = count_distinct(azure.signinlogs.properties.status.error_code),
    Esql.azure_signinlogs_properties_status_error_code_values = values(azure.signinlogs.properties.status.error_code),
    Esql.azure_signinlogs_properties_incoming_token_type_lower_values = values(Esql.azure_signinlogs_properties_incoming_token_type_lower),
    Esql.azure_signinlogs_properties_app_display_name_lower_values = values(Esql.azure_signinlogs_properties_app_display_name_lower),
    Esql.source_ip_values = values(source.ip),
    Esql.source_ip_count_distinct = count_distinct(source.ip),
    Esql.source_as_organization_name_values = values(source.`as`.organization.name),
    Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),
    Esql.source_geo_country_name_values = values(source.geo.country_name),
    Esql.source_geo_country_name_count_distinct = count_distinct(source.geo.country_name),
    Esql.@timestamp.min = min(@timestamp),
    Esql.@timestamp.max = max(@timestamp),
    Esql.event_count = count()
by Esql.time_window_date_trunc

Stage 5: `eval`

| eval
    Esql.event_duration_seconds = date_diff("seconds", Esql.@timestamp.min, Esql.@timestamp.max),
    Esql.event_bf_type = case(
        Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 10
            and Esql.event_count >= 30
            and Esql.azure_signinlogs_result_description_count_distinct <= 3
            and Esql.source_ip_count_distinct >= 5
            and Esql.event_duration_seconds <= 600
            and Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct > Esql.source_ip_count_distinct,
        "credential_stuffing",

        Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 15
            and Esql.azure_signinlogs_result_description_count_distinct == 1
            and Esql.event_count >= 15
            and Esql.event_duration_seconds <= 1800,
        "password_spraying",

        (Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct == 1
            and Esql.azure_signinlogs_result_description_count_distinct == 1
            and Esql.event_count >= 30
            and Esql.event_duration_seconds <= 300)
            or (Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct <= 3
            and Esql.source_ip_count_distinct > 30
            and Esql.event_count >= 100),
        "password_guessing",

        "other"
    )

Esql.event_bf_type =

Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 10
            and Esql.event_count >= 30
            and Esql.azure_signinlogs_result_description_count_distinct <= 3
            and Esql.source_ip_count_distinct >= 5
            and Esql.event_duration_seconds <= 600
            and Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct > Esql.source_ip_count_distinct

"credential_stuffing"

elif

Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct >= 15
            and Esql.azure_signinlogs_result_description_count_distinct == 1
            and Esql.event_count >= 15
            and Esql.event_duration_seconds <= 1800

"password_spraying"

elif

(Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct == 1
            and Esql.azure_signinlogs_result_description_count_distinct == 1
            and Esql.event_count >= 30
            and Esql.event_duration_seconds <= 300)
            or (Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct <= 3
            and Esql.source_ip_count_distinct > 30
            and Esql.event_count >= 100)

"password_guessing"

else"other"

Stage 6: `where`

| where Esql.event_bf_type != "other"

Stage 7: `keep`

| keep
    Esql.time_window_date_trunc,
    Esql.event_bf_type,
    Esql.event_duration_seconds,
    Esql.event_count,
    Esql.@timestamp.min,
    Esql.@timestamp.max,
    Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct,
    Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values,
    Esql.azure_signinlogs_result_description_count_distinct,
    Esql.azure_signinlogs_result_description_values,
    Esql.azure_signinlogs_properties_status_error_code_count_distinct,
    Esql.azure_signinlogs_properties_status_error_code_values,
    Esql.azure_signinlogs_properties_incoming_token_type_lower_values,
    Esql.azure_signinlogs_properties_app_display_name_lower_values,
    Esql.source_ip_values,
    Esql.source_ip_count_distinct,
    Esql.source_as_organization_name_values,
    Esql.source_as_organization_name_count_distinct,
    Esql.source_geo_country_name_values,
    Esql.source_geo_country_name_count_distinct,
    Esql.azure_signinlogs_properties_authentication_requirement_values,
    Esql.azure_signinlogs_properties_app_id_values,
    Esql.azure_signinlogs_properties_app_display_name_values,
    Esql.azure_signinlogs_properties_resource_id_values,
    Esql.azure_signinlogs_properties_resource_display_name_values,
    Esql.azure_signinlogs_properties_conditional_access_status_values,
    Esql.azure_signinlogs_properties_device_detail_browser_values,
    Esql.azure_signinlogs_properties_device_detail_device_id_values,
    Esql.azure_signinlogs_properties_device_detail_operating_system_values,
    Esql.azure_signinlogs_properties_incoming_token_type_values,
    Esql.azure_signinlogs_properties_risk_state_values,
    Esql.azure_signinlogs_properties_session_id_values,
    Esql.azure_signinlogs_properties_user_id_values

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Esql.event_bf_type`	ne	`other`
`azure.signinlogs.category`	in	`NonInteractiveUserSignInLogs` `SignInLogs`
`azure.signinlogs.properties.resource_display_name`	regex_match	`(.)365` `SharePoint` `Exchange` `Teams` `Office(.)`
`azure.signinlogs.properties.status.error_code`	in	`120000` `120002` `120020` `50034` `50055` `50056` `50057` `50064` `50076` `50079` `50105` `50126` `50135` `50142` `50144` `70000` `70008` `70043` `80002` `80005`
`azure.signinlogs.properties.status.error_code`	ne	`50053`
`azure.signinlogs.properties.user_principal_name`	is_not_null	(no value, null check)
`data_stream.dataset`	eq	`azure.signinlogs`
`event.category`	eq	`authentication`
`event.outcome`	eq	`failure`
`user_agent.original`	ne	`Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Entra ID Sign-in Brute Force Attempted (Microsoft 365)

MITRE ATT&CK coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: `from`

Stage 2: `eval`

Stage 3: `where`

Stage 4: `stats`

Stage 5: `eval`

Stage 6: `where`

Stage 7: `keep`

Indicators

Output fields

Keyboard shortcuts

Search operators

Field	Source
`Esql.time_window_date_trunc`	`KEEP Esql.time_window_date_trunc`
`Esql.event_bf_type`	`KEEP Esql.event_bf_type`
`Esql.event_duration_seconds`	`KEEP Esql.event_duration_seconds`
`Esql.event_count`	`KEEP Esql.event_count`
`Esql.@timestamp.min`	`KEEP Esql.@timestamp.min`
`Esql.@timestamp.max`	`KEEP Esql.@timestamp.max`
`Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct`	`KEEP Esql.azure_signinlogs_properties_user_principal_name_lower_count_distinct`
`Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values`	`KEEP Esql_priv.azure_signinlogs_properties_user_principal_name_lower_values`
`Esql.azure_signinlogs_result_description_count_distinct`	`KEEP Esql.azure_signinlogs_result_description_count_distinct`
`Esql.azure_signinlogs_result_description_values`	`KEEP Esql.azure_signinlogs_result_description_values`
`Esql.azure_signinlogs_properties_status_error_code_count_distinct`	`KEEP Esql.azure_signinlogs_properties_status_error_code_count_distinct`
`Esql.azure_signinlogs_properties_status_error_code_values`	`KEEP Esql.azure_signinlogs_properties_status_error_code_values`
`Esql.azure_signinlogs_properties_incoming_token_type_lower_values`	`KEEP Esql.azure_signinlogs_properties_incoming_token_type_lower_values`
`Esql.azure_signinlogs_properties_app_display_name_lower_values`	`KEEP Esql.azure_signinlogs_properties_app_display_name_lower_values`
`Esql.source_ip_values`	`KEEP Esql.source_ip_values`
`Esql.source_ip_count_distinct`	`KEEP Esql.source_ip_count_distinct`
`Esql.source_as_organization_name_values`	`KEEP Esql.source_as_organization_name_values`
`Esql.source_as_organization_name_count_distinct`	`KEEP Esql.source_as_organization_name_count_distinct`
`Esql.source_geo_country_name_values`	`KEEP Esql.source_geo_country_name_values`
`Esql.source_geo_country_name_count_distinct`	`KEEP Esql.source_geo_country_name_count_distinct`
`Esql.azure_signinlogs_properties_authentication_requirement_values`	`KEEP Esql.azure_signinlogs_properties_authentication_requirement_values`
`Esql.azure_signinlogs_properties_app_id_values`	`KEEP Esql.azure_signinlogs_properties_app_id_values`
`Esql.azure_signinlogs_properties_app_display_name_values`	`KEEP Esql.azure_signinlogs_properties_app_display_name_values`
`Esql.azure_signinlogs_properties_resource_id_values`	`KEEP Esql.azure_signinlogs_properties_resource_id_values`
`Esql.azure_signinlogs_properties_resource_display_name_values`	`KEEP Esql.azure_signinlogs_properties_resource_display_name_values`
`Esql.azure_signinlogs_properties_conditional_access_status_values`	`KEEP Esql.azure_signinlogs_properties_conditional_access_status_values`
`Esql.azure_signinlogs_properties_device_detail_browser_values`	`KEEP Esql.azure_signinlogs_properties_device_detail_browser_values`
`Esql.azure_signinlogs_properties_device_detail_device_id_values`	`KEEP Esql.azure_signinlogs_properties_device_detail_device_id_values`
`Esql.azure_signinlogs_properties_device_detail_operating_system_values`	`KEEP Esql.azure_signinlogs_properties_device_detail_operating_system_values`
`Esql.azure_signinlogs_properties_incoming_token_type_values`	`KEEP Esql.azure_signinlogs_properties_incoming_token_type_values`
`Esql.azure_signinlogs_properties_risk_state_values`	`KEEP Esql.azure_signinlogs_properties_risk_state_values`
`Esql.azure_signinlogs_properties_session_id_values`	`KEEP Esql.azure_signinlogs_properties_session_id_values`
`Esql.azure_signinlogs_properties_user_id_values`	`KEEP Esql.azure_signinlogs_properties_user_id_values`

Entra ID Sign-in Brute Force Attempted (Microsoft 365)

MITRE ATT&CK coverage

Rules detecting the same action

Rule body elastic

Stages and Predicates

Stage 1: from

Stage 2: eval

Stage 3: where

Stage 4: stats

Stage 5: eval

Stage 6: where

Stage 7: keep

Indicators

Output fields

Stage 1: `from`

Stage 2: `eval`

Stage 3: `where`

Stage 4: `stats`

Stage 5: `eval`

Stage 6: `where`

Stage 7: `keep`