heroui logo

Azure AD Multi-Source Failed Authentications Spike

Splunk Security Content

View Source
Summary
This detection rule identifies potential distributed password spraying attacks in an Azure Active Directory (AD) environment by analyzing spikes in failed authentication attempts across various user and IP combinations. Specifically, it looks for events recorded in Azure AD SignInLogs with an error code of 50126, which indicates a failure during the authentication process. The metric tracking includes a variety of source IPs, user agents, and countries, aiming to detect patterns that suggest a coordinated effort by an adversary to bypass security measures through distributed login attempts. Reports of high counts related to unique user combinations, IP addresses, and user agents indicate suspicious behavior, warranting further investigation as it could lead to unauthorized access, privilege escalation, and data breaches within the organization's infrastructure.
Categories
  • Cloud
  • Identity Management
Data Sources
  • Cloud Service
  • User Account
ATT&CK Techniques
  • T1110
  • T1586
  • T1586.003
  • T1110.003
  • T1110.004
Created: 2024-11-14