issue_2980

detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml

@@ -1,7 +1,7 @@
 name: Azure AD Multi-Source Failed Authentications Spike
 id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-09-17'
 author: Mauricio Velazco, Splunk
 status: production
 type: Hunting
@@ -16,14 +16,14 @@ description: The following analytic detects potential distributed password spray
   login attempts. If confirmed malicious, this could lead to unauthorized access,
   data breaches, privilege escalation, and lateral movement within the organization's
   infrastructure.
-search: '`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
+search: '`azure_monitor_aad` category=*SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false 
   | rename properties.* as * 
   | bucket span=5m _time 
   | eval uniqueIPUserCombo = src_ip . "-" . user 
   | rename userAgent as user_agent 
   | fillnull 
   | stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(location.countryOrRegion) as countries  values(action) as action values(dest) as dest values(user) as user values(src) as src values(vendor_account) as vendor_account values(vendor_product) as vendor_product values(user_agent) as user_agent
-  | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents = 1 
+  | where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents >= 1 
   | `security_content_ctime(firstTime)` 
   | `security_content_ctime(lastTime)` 
   | `azure_ad_multi_source_failed_authentications_spike_filter`'