detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce

Open jvalente-salemstate opened this issue 11 months ago • 4 comments

Include exceptions for error codes, restricted to NonInteractiveUserSignInLogs and token refreshes:

  • 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
  • 70044 : Session expired or no longer valid due to conditional access frequency checks
  • 50057 : User account is disabled

Failures in the first two cases are the result of logins that were both successful and have passed an applicable Conditional Access policy. The third code simply avoids alerts from an account that's been disabled but still is seeing noninteractive sign-in attempts.

There is a possibility of false negatives in the cases of (invalidated) token theft, but this is neither true case of "brute force", and a detection rule specifically for token theft would be better suited for this.

Pull Request

Issue link(s):

  • Closes #4404
  • Related to #4262

Summary - What I changed

To exclude non-interactive signins for a token refresh, I've modified the query to include

  and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken"))

Contributor checklist

jvalente-salemstate avatar Jan 22 '25 01:01 jvalente-salemstate

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • [ ] Detailed description of the suggested changes.
  • [ ] Provide example JSON data or screenshots.
  • [ ] Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • [ ] Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • [ ] Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • [ ] Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • [ ] Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • [ ] Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • [ ] Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • [ ] Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • [ ] Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • [ ] Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • [ ] updated_date matches the date of tuning PR merged.
  • [ ] min_stack_version should support the widest stack versions.
  • [ ] name and description should be descriptive and not include typos.
  • [ ] query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • [ ] Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • [ ] Ensure that the tuned rule has a low false positive rate.

github-actions[bot] avatar Jan 24 '25 20:01 github-actions[bot]

@terrancedejesus it looks like the conflict in this merge is just the last update date due to #4358 being merged in between this PR and the last change to the rule. Is this something I should fix (with a more recent date?) or should this be done by someone who can do the merge?

jvalente-salemstate avatar Feb 20 '25 17:02 jvalente-salemstate

@jvalente-salemstate - fixed it for ya. Just updated to today's date. Once done, you should be good to merge!

terrancedejesus avatar Feb 20 '25 17:02 terrancedejesus

@jvalente-salemstate - Just need to update the updated_date in the rule metadata. Then your good to merge I believe!

terrancedejesus avatar Apr 17 '25 19:04 terrancedejesus

@terrancedejesus all set.

jvalente-salemstate avatar Apr 18 '25 17:04 jvalente-salemstate

@jvalente-salemstate - awesome. Once checks pass, feel free to merge. If your unable to just let me know and I can merge that for ya.

terrancedejesus avatar Apr 18 '25 17:04 terrancedejesus

@terrancedejesus I cannot merge. I have a "Merging is blocked. You're not authorized to push to this branch" warning where the button would be.

jvalente-salemstate avatar Apr 22 '25 23:04 jvalente-salemstate