尝试暴力破解 Microsoft 365 用户账户

编辑

尝试暴力破解 Microsoft 365 用户账户

编辑

通过检测 30 分钟内大量失败的登录尝试或登录来源,识别针对 Microsoft 365 用户账户的潜在暴力破解尝试。攻击者可能会尝试暴力破解用户账户,以获得对 Microsoft 365 服务的未授权访问。

规则类型: esql

规则索引: 无

严重程度: 中

风险评分: 47

运行频率: 5 分钟

搜索索引时间范围: now-9m (日期数学格式,另请参阅 额外回溯时间)

每次执行的最大告警数: 100

参考:

标签:

  • 域: 云
  • 域: SaaS
  • 数据源: Microsoft 365
  • 用例: 身份和访问审计
  • 用例: 威胁检测
  • 战术: 凭证访问

版本: 311

规则作者:

  • Elastic
  • Willem D’Haese
  • Austin Songer

规则许可: Elastic License v2

规则查询

编辑
from logs-o365.audit-*
// truncate the timestamp to a 30-minute window
| eval target_time_window = DATE_TRUNC(30 minutes, @timestamp)
| mv_expand event.category
| where event.dataset == "o365.audit"
  and event.category == "authentication"

  // filter only on Entra ID or Exchange audit logs in O365 integration
  and event.provider in ("AzureActiveDirectory", "Exchange")

  // filter only for UserLoginFailed or partial failures
  and event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")

  // ignore specific logon errors
  and not o365.audit.LogonError in (
    "EntitlementGrantsNotFound",
    "UserStrongAuthEnrollmentRequired",
    "UserStrongAuthClientAuthNRequired",
    "InvalidReplyTo",
    "SsoArtifactExpiredDueToConditionalAccess",
    "PasswordResetRegistrationRequiredInterrupt",
    "SsoUserAccountNotFoundInResourceTenant",
    "UserStrongAuthExpired",
    "CmsiInterrupt"
)

  // ignore unavailable
  and o365.audit.UserId != "Not Available"

  // filters out non user or application logins based on target
  and o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")

  // filters only for logins from user or application, ignoring oauth:token
  and to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)"

// keep only relevant fields
| keep event.provider, event.dataset, event.category, o365.audit.UserId, event.action, source.ip, o365.audit.LogonError, o365.audit.ExtendedProperties.RequestType, o365.audit.Target.Type, target_time_window

// count the number of login sources and failed login attempts
| stats
  login_source_count = count(source.ip),
  failed_login_count = count(*) by target_time_window, o365.audit.UserId

// filter for users with more than 20 login sources or failed login attempts
| where (login_source_count >= 20 or failed_login_count >= 20)

框架: MITRE ATT&CKTM