尝试暴力破解 Microsoft 365 用户帐户
编辑尝试暴力破解 Microsoft 365 用户帐户编辑
识别尝试暴力破解 Microsoft 365 用户帐户的行为。攻击者可能会尝试进行暴力破解攻击以获取对用户帐户的未经授权访问。
规则类型: esql
规则索引: 无
严重程度: 中
风险评分: 47
运行频率: 5 分钟
搜索的索引范围: now-9m(日期数学格式,另请参阅 其他回溯时间)
每次执行的最大警报数: 100
参考资料:
标签:
- 域: 云
- 域: SaaS
- 数据源: Microsoft 365
- 用例: 身份和访问审核
- 策略: 凭据访问
版本: 209
规则作者:
- Elastic
- Willem D’Haese
- Austin Songer
规则许可证: Elastic 许可证 v2
调查指南编辑
设置编辑
要与此规则兼容,需要使用 Office 365 日志 Fleet 集成、Filebeat 模块或结构相似的数据。
规则查询编辑
from logs-o365.audit-*
| MV_EXPAND event.category
| WHERE event.dataset == "o365.audit"
AND event.category == "authentication"
// filter only on Entra ID or Exchange audit logs in O365 integration
AND event.provider in ("AzureActiveDirectory", "Exchange")
// filter only for UserLoginFailed or partial failures
AND event.action in ("UserLoginFailed", "PasswordLogonInitialAuthUsingPassword")
// ignore specific logon errors
AND not o365.audit.LogonError in (
"EntitlementGrantsNotFound",
"UserStrongAuthEnrollmentRequired",
"UserStrongAuthClientAuthNRequired",
"InvalidReplyTo",
"SsoArtifactExpiredDueToConditionalAccess",
"PasswordResetRegistrationRequiredInterrupt",
"SsoUserAccountNotFoundInResourceTenant",
"UserStrongAuthExpired",
"CmsiInterrupt"
)
// filters out non user or application logins based on target
AND o365.audit.Target.Type in ("0", "2", "3", "5", "6", "10")
// filters only for logins from user or application, ignoring oauth:token
AND to_lower(o365.audit.ExtendedProperties.RequestType) rlike "(.*)login(.*)"
| STATS
// count the number of failed login attempts target per user
login_attempt_counts = COUNT(*) by o365.audit.Target.ID, o365.audit.LogonError
| WHERE login_attempt_counts > 10
框架: MITRE ATT&CKTM
-
策略
- 名称: 凭据访问
- ID: TA0006
- 参考链接: https://attack.mitre.org/tactics/TA0006/
-
技术
- 名称: 暴力破解
- ID: T1110
- 参考链接: https://attack.mitre.org/techniques/T1110/