Skip to content

[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce #4405

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce #4405

wants to merge 10 commits into from

Conversation

jvalente-salemstate
Copy link
Contributor

@jvalente-salemstate jvalente-salemstate commented Jan 22, 2025
edited
Loading

Include exceptions for error codes, restricted to NonInteractiveUserSignInLogs and token refreshes:

  • 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
  • 70044 : Session expired or no longer valid due to conditional access frequency checks
  • 50057 : User account is disabled

Failures in the first two cases are the result of logins that were both successful and have passed an applicable Conditional Access policy. The third code simply avoids alerts from an account that's been disabled but still is seeing noninteractive sign-in attempts.

There is a possibility of false negatives in the cases of (invalidated) token theft, but this is neither true case of "brute force", and a detection rule specifically for token theft would be better suited for this.

Pull Request

Issue link(s):

Summary - What I changed

To exclude non-interactive signins for a token refresh, I've modified the query to include

  and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken"))

Contributor checklist

@jvalente-salemstate
Add exceptions for non-interactive signin failures.
e1dcce1 
Include exceptions for error codes, restricted to `NonInteractiveUserSignInLogs` and token refreshes:

- 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
- 70044 : Session expired or no longer valid due to conditional access frequency checks
- 50057 : User account is disabled
@botelastic botelastic bot added Domain: Cloud Integration: Azure azure related rules labels Jan 22, 2025
@terrancedejesus terrancedejesus self-assigned this Jan 22, 2025
@Mikaayenson Mikaayenson added the Rule: Tuning tweaking or tuning an existing rule label Jan 24, 2025
@github-actions GitHub Actions
Copy link
Contributor

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

  • Detailed description of the suggested changes.
  • Provide example JSON data or screenshots.
  • Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
  • Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
  • Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
  • Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
  • Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
  • Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
  • Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
  • Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
  • Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
  • Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

  • updated_date matches the date of tuning PR merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

  • Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
  • Ensure that the tuned rule has a low false positive rate.

terrancedejesus
terrancedejesus approved these changes Feb 20, 2025
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the exceptions @jvalente-salemstate !

@jvalente-salemstate
Copy link
Contributor Author

@terrancedejesus it looks like the conflict in this merge is just the last update date due to #4358 being merged in between this PR and the last change to the rule. Is this something I should fix (with a more recent date?) or should this be done by someone who can do the merge?

@terrancedejesus
Copy link
Contributor

@jvalente-salemstate - fixed it for ya. Just updated to today's date. Once done, you should be good to merge!

@terrancedejesus
Copy link
Contributor

@jvalente-salemstate - Just need to update the updated_date in the rule metadata. Then your good to merge I believe!

@jvalente-salemstate
Copy link
Contributor Author

jvalente-salemstate commented Apr 18, 2025
edited
Loading

@terrancedejesus all set.

@terrancedejesus
Copy link
Contributor

@jvalente-salemstate - awesome. Once checks pass, feel free to merge. If your unable to just let me know and I can merge that for ya.

@jvalente-salemstate
Copy link
Contributor Author

@terrancedejesus I cannot merge. I have a "Merging is blocked. You're not authorized to push to this branch" warning where the button would be.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eric-forte-elastic eric-forte-elastic eric-forte-elastic left review comments

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@Samirbous Samirbous Samirbous approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

Assignees

@terrancedejesus terrancedejesus

Labels
backport: auto community Domain: Cloud Integration: Azure azure related rules Rule: Tuning tweaking or tuning an existing rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Rule Tuning] Azure Entra Sign-in Brute Force against Microsoft 365 Accounts
5 participants
@jvalente-salemstate @terrancedejesus @Mikaayenson @Samirbous @eric-forte-elastic