sigmaDRL-1.1from SigmaHQ/sigma
Increased Failed Authentications Of Any Type
Detects when sign-ins increased by 10% or greater.
Quality
100
FP risk
—
Forks
0
Views
0
ATT&CK techniques
Rule sourcerules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml
title: Increased Failed Authentications Of Any Type
id: e1d02b53-c03c-4948-b11d-4d00cca49d03
status: test
description: Detects when sign-ins increased by 10% or greater.
references:
- https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022-08-11
tags:
- attack.privilege-escalation
- attack.persistence
- attack.initial-access
- attack.defense-evasion
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: failure
Count: "<10%"
condition: selection
falsepositives:
- Unlikely
level: medium