High Number of Login Failures from a single source

name: High Number of Login Failures from a single source
id: 7f398cfb-918d-41f4-8db8-2e2474e02222
version: 12
creation_date: '2020-12-16'
modification_date: '2026-05-13'
author: Bhavin Patel, Mauricio Velazco, Splunk
status: production
type: Anomaly
description: The following analytic detects multiple failed login attempts in Office365 Azure Active Directory from a single source IP address. It leverages Office365 management activity logs, specifically AzureActiveDirectoryStsLogon records, aggregating these logs in 5-minute intervals to count failed login attempts. This activity is significant as it may indicate brute-force attacks or password spraying, which are critical to monitor. If confirmed malicious, an attacker could gain unauthorized access to Office365 accounts, leading to potential data breaches, lateral movement within the organization, or further malicious activities using the compromised account.
data_source:
    - O365 UserLoginFailed
search: |-
    `o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon
      | bucket span=5m _time
      | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent values(dest) as dest values(vendor_account) as vendor_account values(vendor_product) as vendor_product
        BY _time, src_ip
      | where failed_attempts > 10
      | `high_number_of_login_failures_from_a_single_source_filter`
how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. Adjust the threshold value to suit the specific environment, as environments with naturally higher login failures might generate false positives at a lower threshold.
known_false_positives: An Ip address with more than 10 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
references:
    - https://attack.mitre.org/techniques/T1110/001/
    - https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
    - https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
    - https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
drilldown_searches:
    - name: View the detection results for - "$user$"
      search: '%original_detection_search% | search  user = "$user$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: user
          type: user
          score: 20
          message: Ip address $src_ip$ failed to authenticate more than 10 times in a 5 minute
threat_objects:
    - field: src_ip
      type: ip_address
analytic_story:
    - Office 365 Account Takeover
asset_type: O365 Tenant
mitre_attack_id:
    - T1110.001
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: cloud
security_domain: threat
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log
          source: o365
          sourcetype: o365:management:activity
      test_type: unit