Detectionmediumtest

Increased Failed Authentications Of Any Type

Detects when sign-ins increased by 10% or greater.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Mike DuddingtonCreated Thu Aug 11e1d02b53-c03c-4948-b11d-4d00cca49d03cloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        Status: failure
        Count: "<10%"
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

e1d02b53-c03c-4948-b11d-4d00cca49d03

Status

test

Level

medium

Type

Detection

Created

Thu Aug 11

Author

Path

rules/cloud/azure/signin_logs/azure_ad_auth_failure_increase.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078