Azure Entra 登录针对 Microsoft 365 帐户的暴力破解
编辑Azure Entra 登录针对 Microsoft 365 帐户的暴力破解
编辑通过检测 30 分钟内大量交互式或非交互式登录失败尝试,识别针对 Microsoft 365 用户帐户的潜在暴力破解尝试。攻击者可能会尝试暴力破解用户帐户,以通过 Exchange、SharePoint 或 Teams 等不同服务获取对 Microsoft 365 服务的未授权访问。
规则类型: esql
规则索引: 无
严重性: 中等
风险评分: 47
每隔: 10 分钟
搜索索引时间范围: now-60m (日期数学格式,另请参见 额外回溯时间
)
每次执行的最大告警数: 100
参考:
标签:
- 领域: 云
- 领域: SaaS
- 数据源: Azure
- 数据源: Entra ID
- 数据源: Entra ID 登录
- 用例: 身份和访问审计
- 用例: 威胁检测
- 战术: 凭据访问
版本: 2
规则作者:
- Elastic
规则许可证: Elastic License v2
调查指南
编辑此规则依赖于 Azure Entra ID 登录日志,但会过滤 Microsoft 365 资源。
规则查询
编辑from logs-azure.signinlogs* // truncate the timestamp to a 30-minute window | eval target_time_window = DATE_TRUNC(30 minutes, @timestamp) | WHERE event.dataset == "azure.signinlogs" and event.category == "authentication" and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)" and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs") and event.outcome != "success" // for tuning review azure.signinlogs.properties.status.error_code // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes // keep only relevant fields | keep target_time_window, event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip // count the number of login sources and failed login attempts | stats login_source_count = count(source.ip), failed_login_count = count(*) by target_time_window, azure.signinlogs.properties.user_principal_name // filter for users with more than 20 login sources or failed login attempts | where (login_source_count >= 20 or failed_login_count >= 20)
框架: MITRE ATT&CKTM
-
战术
- 名称: 凭据访问
- ID: TA0006
- 参考 URL: https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称: 暴力破解
- ID: T1110
- 参考 URL: https://attack.mitre.org/techniques/T1110/