Azure Entra 登录针对 Microsoft 365 帐户的暴力破解

编辑

Azure Entra 登录针对 Microsoft 365 帐户的暴力破解

编辑

通过检测 30 分钟内大量交互式或非交互式登录失败尝试,识别针对 Microsoft 365 用户帐户的潜在暴力破解尝试。攻击者可能会尝试暴力破解用户帐户,以通过 Exchange、SharePoint 或 Teams 等不同服务获取对 Microsoft 365 服务的未授权访问。

规则类型: esql

规则索引: 无

严重性: 中等

风险评分: 47

每隔: 10 分钟

搜索索引时间范围: now-60m (日期数学格式,另请参见 额外回溯时间)

每次执行的最大告警数: 100

参考:

标签:

  • 领域: 云
  • 领域: SaaS
  • 数据源: Azure
  • 数据源: Entra ID
  • 数据源: Entra ID 登录
  • 用例: 身份和访问审计
  • 用例: 威胁检测
  • 战术: 凭据访问

版本: 2

规则作者:

  • Elastic

规则许可证: Elastic License v2

调查指南

编辑

此规则依赖于 Azure Entra ID 登录日志,但会过滤 Microsoft 365 资源。

规则查询

编辑
from logs-azure.signinlogs*
// truncate the timestamp to a 30-minute window
| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)
| WHERE
  event.dataset == "azure.signinlogs"
  and event.category == "authentication"
  and to_lower(azure.signinlogs.properties.resource_display_name) rlike "(.*)365(.*)"
  and azure.signinlogs.category in ("NonInteractiveUserSignInLogs", "SignInLogs")
  and event.outcome != "success"
  // for tuning review azure.signinlogs.properties.status.error_code
  // https://learn.microsoft.com/en-us/entra/identity-platform/reference-error-codes

// keep only relevant fields
| keep target_time_window, event.dataset, event.category, azure.signinlogs.properties.resource_display_name, azure.signinlogs.category, event.outcome, azure.signinlogs.properties.user_principal_name, source.ip

// count the number of login sources and failed login attempts
| stats
  login_source_count = count(source.ip),
  failed_login_count = count(*) by target_time_window, azure.signinlogs.properties.user_principal_name

// filter for users with more than 20 login sources or failed login attempts
| where (login_source_count >= 20 or failed_login_count >= 20)

框架: MITRE ATT&CKTM