Azure AD brute force login

azure

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the azure integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a user is a victim of an Account Take Over (ATO) by a brute force attack.

Strategy

Monitor Azure Active Directory Sign-in logs and detect when any @evt.category is equal to SignInLogs, and @evt.outcome is equal to failure.

Triage and response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.

Changelog

  • 26 October 2022 - Updated query.