Link to Rule

https://github.com/elastic/detection-rules/blob/main/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

We have found that non-interactive signins with expired or invalid tokens are generating a volume of false positives.

Generally, these reflect tokens/sessions that are/were successful logins, passing conditional access. If the token/session is invalid or expires due to CA frequency check, this will log as a failure. There may be cases where this indicates token theft (of a, since, invalidated token) but these would be better identified in a search for token theft, rather than brute force.

The following azure.signinlogs.properties.status.error_code are our highest volume offenders and make up the majority of the generated alerts.

• 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
• 70044 : Session expired or no longer valid due to conditional access frequency checks

Example Data

Exclude non-interactive logins that are refreshing tokens and failing with specific error codes. This restricts the event code exclusions to the specific false positive in this issue.

and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken"))