[Rule Deprecation] Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

[terrancedejesus]

Pull Request

Issue link(s):

• Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

Summary - What I changed

Begins deprecation process for Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source by prefixing with Deprecated - . Reason: After tuning a separate BF rule for M365, the logic in this rule overlaps. The new rule tuning should catch not only password spraying from a single source but other variations of password spraying and brute-force in general.

How To Test

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Rule: Deprecation - Guidelines

These guidelines serve as a reminder set of considerations when recommending the deprecation of a rule.

Documentation and Context

• Description of the reason for deprecation.
• Include any context or historical data supporting the deprecation decision.

Rule Metadata Checks

• deprecated = true added to the rule metadata.
• updated_date should be the date of the PR.

Testing and Validation

• A prior rule tuning occurred for the rule where Deprecated - is prepended to the rule name, and the rule has already been released.
• Rule has be moved to the _deprecated directory.
• Double check gaps potentially or inadvertently introduced.
• Provide evidence that the rule is no longer needed or has been replaced (e.g., alternative rules, updated detection methods).