Name:O365 Excessive SSO logon errors id:8158ccc4-6038-11eb-ae93-0242ac130002 version:5 date:2024-09-30 author:Rod Soto, Splunk status:production type:Anomaly Description:The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the `o365_management_activity` dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization. Data_source:
-O365 UserLoginFailed
search:`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action| where count >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`
how_to_implement:You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity known_false_positives:Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack. References: -https://stealthbits.com/blog/bypassing-mfa-with-pass-the-cookie/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Office 365 Account Takeover' - 'Cloud Federated Credential Abuse' asset_type:O365 Tenant confidence:80 impact:80 message:Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. mitre_attack_id: - 'T1556' observable: name:'src_ip' type:'IP Address' - role: - 'Attacker' name:'user' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'user' - 'src_ip' - 'Workload' - 'LogonError' - 'ActorIpAddress' - 'UserAgent' - 'UserId' - 'authentication_service' - 'authentication_method' - 'Operation' risk_score:64 security_domain:threat
