尝试暴力破解 Microsoft 365 用户账户
编辑尝试暴力破解 Microsoft 365 用户账户
编辑通过检测 30 分钟内大量失败的登录尝试或登录来源,识别针对 Microsoft 365 用户账户的潜在暴力破解尝试。攻击者可能会尝试暴力破解用户账户,以获得对 Microsoft 365 服务的未授权访问。
规则类型: esql
规则索引: 无
严重程度: 中
风险评分: 47
运行频率: 5 分钟
搜索索引时间范围: now-9m (日期数学格式,另请参阅 额外回溯时间
)
每次执行的最大告警数: 100
参考:
标签:
- 域: 云
- 域: SaaS
- 数据源: Microsoft 365
- 用例: 身份和访问审计
- 用例: 威胁检测
- 战术: 凭证访问
版本: 311
规则作者:
- Elastic
- Willem D’Haese
- Austin Songer
规则许可: Elastic License v2
规则查询
编辑from logs-o365.audit-* // truncate the timestamp to a 30-minute window | eval target_time_window = DATE_TRUNC(30 minutes, @timestamp) | mv_expand event.category | where event.dataset == "o365.audit" and event.category == "authentication" // filter only on Entra ID or Exchange audit logs in O365 integration and event.provider in ("AzureActiveDirectory", "Exchange") // filter only for UserLoginFailed or partial failures and event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword") // ignore specific logon errors and not o365.audit.LogonError in ( "EntitlementGrantsNotFound", "UserStrongAuthEnrollmentRequired", "UserStrongAuthClientAuthNRequired", "InvalidReplyTo", "SsoArtifactExpiredDueToConditionalAccess", "PasswordResetRegistrationRequiredInterrupt", "SsoUserAccountNotFoundInResourceTenant", "UserStrongAuthExpired", "CmsiInterrupt" ) // ignore unavailable and o365.audit.UserId != "Not Available" // filters out non user or application logins based on target and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10") // filters only for logins from user or application, ignoring oauth:token and to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)" // keep only relevant fields | keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window // count the number of login sources and failed login attempts | stats login_source_count = count(source.ip), failed_login_count = count(*) by target_time_window, o365.audit.UserId // filter for users with more than 20 login sources or failed login attempts | where (login_source_count >= 20 or failed_login_count >= 20)
框架: MITRE ATT&CKTM
-
战术
- 名称: 凭证访问
- ID: TA0006
- 参考 URL: https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称: 暴力破解
- ID: T1110
- 参考 URL: https://attack.mitre.org/techniques/T1110/