-
Notifications
You must be signed in to change notification settings - Fork 583
[New Rule] Microsoft Entra ID Excessive Account Lockouts Detected #4782
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[New Rule] Microsoft Entra ID Excessive Account Lockouts Detected #4782
Conversation
Rule: New - GuidelinesThese guidelines serve as a reminder set of considerations when proposing a new rule. Documentation and Context
Rule Metadata Checks
New BBR Rules
Testing and Validation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this rule why you excluded 50053 from the larger brute force rule?
AND user_agent != "Mozilla/5.0 (compatible; MSAL 1.0) PKeyAuth/1.0" | ||
AND asn_org != "MICROSOFT-CORP-MSN-AS-BLOCK" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are those really necessary, they make t easy (Esp user agent to bypass the rule) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It filters out any MSAL-based auth for proof-of-possesion so mainly certificates for device authentication. Your right, I don't think we have to filter out in this instance for lockouts. However, UAs are unfortunately sometimes the only good fingerprint we may have globally for cloud workloads or IdP based requests.
Pull Request
Issue link(s):
Summary - What I changed
Adds a new rule for Entra ID excessive account lockouts being reported as error codes when attempting authentication. This may be indicative of brute forcing attempts by an adversary. Please see linked issue for more details.
How To Test
Checklist
bug
,enhancement
,schema
,maintenance
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist