detection.wiki

Detection rules › Sigma

Increased Failed Authentications Of Any Type

Status
test
Severity
medium
Log source
product azure, service signinlogs
Author
Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
Source
github.com/SigmaHQ/sigma

Detects when sign-ins increased by 10% or greater.

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1078 Valid Accounts
PersistenceT1078 Valid Accounts
Privilege EscalationT1078 Valid Accounts
StealthT1078 Valid Accounts

Rule body yaml

title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: test
description: Detects when sign-ins increased by 10% or greater.
references:
    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.initial-access
    - attack.stealth
    - attack.t1078
logsource:
    product: azure
    service: signinlogs
detection:
    selection:
        Status: failure
        Count: "<10%"
    condition: selection
falsepositives:
    - Unlikely
level: medium

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    Status: failure
    Count: "<10%"

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Counteq
  • <10%
Statuseq
  • failure