elastic
[Rule Tuning] Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
Link to Rule
https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml
Rule Tuning Type
False Positives - Reducing benign events mistakenly identified as threats.
Description
We have found that non-interactive signins with expired or invalid tokens are generating a volume of false positives.
Generally, these reflect tokens/sessions that are/were successful logins, passing conditional access. If the token/session is invalid or expires due to CA frequency check, this will log as a failure. There may be cases where this indicates token theft (of a, since, invalidated token) but these would be better identified in a search for token theft, rather than brute force.
The following azure.signinlogs.properties.status.error_code are our highest volume offenders and make up the majority of the generated alerts.
- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
Example Data
Exclude non-interactive logins that are refreshing tokens and failing with specific error codes. This restricts the event code exclusions to the specific false positive in this issue.
and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken"))
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![botelastic[bot] avatar](https://avatars.githubusercontent.com/u/6764390?v=4 "Published by a pub.dev verified publisher"){kind=small}
This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.