Azure AD High Number Of Failed Authentications For User

name: Azure AD High Number Of Failed Authentications For User
id: 630b1694-210a-48ee-a450-6f79e7679f2c
version: 13
creation_date: '2023-01-23'
modification_date: '2026-05-13'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.
data_source:
    - Azure Active Directory
search: |
    `azure_monitor_aad`
    category=SignInLogs
    properties.status.errorCode=50126
    properties.authenticationDetails{}.succeeded=false
    | rename properties.* as *
    | bin span=10m _time
    | fillnull value=null
    | stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product
    | where count > 20
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | `azure_ad_high_number_of_failed_authentications_for_user_filter`
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
known_false_positives: A user with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.
references:
    - https://attack.mitre.org/techniques/T1110/
    - https://attack.mitre.org/techniques/T1110/001/
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
finding:
    title: User $user$ failed to authenticate more than 20 times in the span of 10 minutes.
    entity:
        field: user
        type: user
        score: 50
analytic_story:
    - Compromised User Account
    - Azure Active Directory Account Takeover
asset_type: Azure Tenant
mitre_attack_id:
    - T1110.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: identity
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/azure_ad_high_number_of_failed_authentications_for_user/azuread.log
          source: Azure AD
          sourcetype: azure:monitor:aad
      test_type: unit