fixing and adding new

detections/cloud/high_number_of_login_failures_from_a_single_source.yml

@@ -1,21 +1,22 @@
 name: High Number of Login Failures from a single source
 id: 7f398cfb-918d-41f4-8db8-2e2474e02222
-version: 1
+version: 2
 date: '2020-12-16'
-author: Bhavin Patel, Splunk
-status: experimental
+author: Bhavin Patel, Mauricio Velazco, Splunk
+status: production
 type: Anomaly
 description: This search will detect more than 5 login failures in Office365 Azure
   Active Directory from a single source IP address. Please adjust the threshold value
   of 5 as suited for your environment.
 data_source: []
-search: '`o365_management_activity` Operation=UserLoginFailed  record_type=AzureActiveDirectoryStsLogon
-  app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user)
-  as user values(LogonError) as LogonError values(authentication_method) as authentication_method
-  values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type
-  Operation app | search accounts_locked >= 5| `high_number_of_login_failures_from_a_single_source_filter`'
+search: '`o365_management_activity` Workload=AzureActiveDirectory Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon 
+  | bucket span=5m _time
+  | stats dc(_raw) AS failed_attempts values(user) as user values(LogonError) as LogonError values(signature) as signature values(UserAgent) as UserAgent by _time, src_ip
+  | where failed_attempts > 10
+  | `high_number_of_login_failures_from_a_single_source_filter`'
 how_to_implement: ''
-known_false_positives: unknown
+known_false_positives: An Ip address with more than 20 failed authentication attempts
+  in the span of 5 minutes may also be triggered by a broken application.
 references: []
 tags:
   analytic_story:
@@ -53,6 +54,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/high_number_of_login_failures_from_a_single_source.json
-    sourcetype: o365:management:activity
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/o365_high_number_authentications_for_user/o365_high_number_authentications_for_user.log
     source: o365
+    sourcetype: o365:management:activity

detections/cloud/o365_high_number_of_failed_authentications_for_user.yml

@@ -7,7 +7,7 @@ status: production
 type: TTP
 data_source: []
 description: The following analytic identifies an O365 account that has experienced more than 20 failed authentication events within a span of 5 minutes. This could be indicative of an attacker attempting to brute force or guess the password for that particular user account. It leverages the O365 Unified Audit Logs, specifically the "UserLoginFailed" events. By monitoring the frequency and volume of these events for individual users, the analytic can flag accounts that exceed the set threshold of failed attempts within the defined timeframe. Multiple failed login attempts in a short period can be a strong indicator of malicious activity. While there could be benign reasons, such as a user forgetting their password, the rapid succession of failed attempts is often a sign of an attacker trying to gain unauthorized access. By detecting and alerting on this behavior, the SOC can quickly investigate and take appropriate action, potentially stopping an attack in its early stages. Given that environments differ across organizations, security teams should consider customizing the threshold of this detection to better suit their specific needs and risk profile. If an attacker successfully guesses or brute-forces a user's password after numerous attempts, they can gain unauthorized access to the O365 environment. This unauthorized access could allow them to view sensitive emails, documents, and other data.
-search: ' `o365_management_activity` Operation=UserLoginFailed  record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory
+search: ' `o365_management_activity` Operation=UserLoginFailed  record_type=AzureActiveDirectoryStsLogon Workload=AzureActiveDirectory
   | bucket span=5m _time 
   | stats  dc(_raw) AS failed_attempts  values(src_ip) by user, _time
   | where failed_attempts > 10

detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml

@@ -0,0 +1,52 @@
+name: O365 Multiple Users Failing To Authenticate From Ip
+id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4
+version: 1
+date: '2023-10-10'
+author: Mauricio Velazco, Splunk
+status: production
+type: TTP
+data_source: []
+description: UPDATE_DESCRIPTION
+search: '
+  | `o365_multiple_users_failing_to_authenticate_from_ip_filter`'
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events.
+known_false_positives: A source Ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
+- https://www.cisa.gov/uscert/ncas/alerts/aa21-008a
+- https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
+tags:
+  analytic_story:
+  - UPDATE_STORY_NAME
+  asset_type: Office 365 tenant
+  atomic_guid:
+  - UPDATE atomic_guid
+  confidence: 90
+  impact: 70
+  message: Source Ip $src_ip$ failed to authenticate with 20 users within 5 minutes.
+  mitre_attack_id:
+  - T1586
+  - T1586.003
+  - T1110
+  - T1110.003
+  - T1110.004
+  observable:
+  - name: UPDATE
+    type: UPDATE
+    role:
+    - UPDATE
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 63
+  required_fields:
+  - _time
+  security_domain: identity
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: UPDATE url to dataset
+    source: UPDATE source
+    sourcetype: UPDATE sourcetype