Skip to content

[Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts #5314

New issue
New issue
Open
#5315
Open
[Rule Tuning] Microsoft Entra ID Exccessive Account Lockouts#5314
#5315
Assignees
terrancedejesus
Labels
Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing rule
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Nov 13, 2025

Summary

Simplify the Microsoft Entra ID Exccessive Account Lockouts rule by switching to threshold. Core logic and stat considerations does not change.

We can adjust the rule to be threshold with no specified group by field, but a cardinality of 15 for user.name which is the same logic as the ESQL aggregation.

Ref SDH: https://github.com/elastic/sdh-protections/issues/639

event.dataset: "azure.signinlogs" and event.category: "authentication"
    and azure.signinlogs.category: ("NonInteractiveUserSignInLogs" or "SignInLogs")
    and event.outcome: "failure"
    and azure.signinlogs.properties.authentication_requirement: "singleFactorAuthentication"
    and azure.signinlogs.properties.status.error_code: 50053
    and azure.signinlogs.properties.user_principal_name: *
    and not azure.signinlogs.properties.user_principal_name: ""
    and not source.as.organization.name: "MICROSOFT-CORP-MSN-as-BLOCK"

Metadata

Metadata

Assignees

Labels

Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: Tuningtweaking or tuning an existing rule

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions