| ID | Technique | Tactic |
|---|---|---|
| T1556 | Modify Authentication Process | Credential Access |
Detection: O365 Excessive SSO logon errors
Description
The following analytic detects accounts experiencing a high number of Single Sign-On (SSO) logon errors. It leverages data from the o365_management_activity dataset, focusing on failed user login attempts with SSO errors. This activity is significant as it may indicate brute-force attempts or the hijacking/reuse of SSO tokens. If confirmed malicious, attackers could potentially gain unauthorized access to user accounts, leading to data breaches, privilege escalation, or further lateral movement within the organization.
Search
1`o365_management_activity` Workload=AzureActiveDirectory LogonError=*Sso* Operation=UserLoginFailed
2| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip signature user_agent authentication_service action
3| where count >= 5
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| `o365_excessive_sso_logon_errors_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| O365 UserLoginFailed | N/A | 'o365:management:activity' |
'o365' |
N/A |
Macros Used
| Name | Value |
|---|---|
| o365_management_activity | sourcetype=o365:management:activity |
| o365_excessive_sso_logon_errors_filter | search * |
o365_excessive_sso_logon_errors_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
FIN13
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity
Known False Positives
Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Excessive number of SSO logon errors from $src_ip$ using UserAgent $user_agent$. | 64 | 80 | 80 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | o365 |
o365:management:activity |
| Integration | ✅ Passing | Dataset | o365 |
o365:management:activity |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4