Skip to content

[Rule Deprecation] Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source #4780

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Jun 10, 2025

Conversation

terrancedejesus
Copy link
Contributor

Pull Request

Issue link(s):

  • Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source

Summary - What I changed

Begins deprecation process for Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source by prefixing with Deprecated - . Reason: After tuning a separate BF rule for M365, the logic in this rule overlaps. The new rule tuning should catch not only password spraying from a single source but other variations of password spraying and brute-force in general.

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

Copy link
Contributor

github-actions bot commented Jun 6, 2025

Rule: Deprecation - Guidelines

These guidelines serve as a reminder set of considerations when recommending the deprecation of a rule.

Documentation and Context

  • Description of the reason for deprecation.
  • Include any context or historical data supporting the deprecation decision.

Rule Metadata Checks

  • deprecated = true added to the rule metadata.
  • updated_date should be the date of the PR.

Testing and Validation

  • A prior rule tuning occurred for the rule where Deprecated - is prepended to the rule name, and the rule has already been released.
  • Rule has be moved to the _deprecated directory.
  • Double check gaps potentially or inadvertently introduced.
  • Provide evidence that the rule is no longer needed or has been replaced (e.g., alternative rules, updated detection methods).

@terrancedejesus terrancedejesus marked this pull request as ready for review June 6, 2025 15:12
@terrancedejesus terrancedejesus requested review from w0rk3r, DefSecSentinel, imays11, Samirbous and Aegrah and removed request for w0rk3r June 6, 2025 15:12
@terrancedejesus terrancedejesus merged commit c7c1586 into main Jun 10, 2025
11 checks passed
@terrancedejesus terrancedejesus deleted the rule-deprecation-m365-bf-repeat-source branch June 10, 2025 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Deprecation] Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
4 participants