heroui logo

Azure AD Unusual Number of Failed Authentications From Ip

Splunk Security Content

View Source
Summary
This detection rule targets unusual patterns of authentication failures in Azure Active Directory (Azure AD), particularly focusing on instances where a single source IP address attempts to authenticate multiple valid user accounts but fails. Such behavior is often indicative of a Password Spraying attack, where an adversary sequentially tries to access a large number of accounts using a few common passwords. The rule leverages Azure SignInLogs data and applies statistical analysis (3-sigma rule) to identify when the number of failed attempts exceeds normal behavior for a particular source IP. If exploited, this could lead to unauthorized access and privilege elevation within Azure AD environments, resulting in potential data breaches or the compromise of sensitive information.
Categories
  • Cloud
  • Identity Management
Data Sources
  • Cloud Service
ATT&CK Techniques
  • T1110
  • T1586
  • T1586.003
  • T1110.003
  • T1110.004
Created: 2024-11-14