[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce

[jvalente-salemstate]

Include exceptions for error codes, restricted to NonInteractiveUserSignInLogs and token refreshes:

• 70043 : Refresh token expired or no longer valid due to conditional access frequency checks
• 70044 : Session expired or no longer valid due to conditional access frequency checks
• 50057 : User account is disabled

Failures in the first two cases are the result of logins that were both successful and have passed an applicable Conditional Access policy. The third code simply avoids alerts from an account that's been disabled but still is seeing noninteractive sign-in attempts.

There is a possibility of false negatives in the cases of (invalidated) token theft, but this is neither true case of "brute force", and a detection rule specifically for token theft would be better suited for this.

Pull Request

Issue link(s):

• Closes [Rule Tuning] Azure Entra Sign-in Brute Force against Microsoft 365 Accounts #4404
• Related to [Rule Tuning] Azure Entra Sign-in Brute Force against Microsoft 365 Accounts #4262

Summary - What I changed

To exclude non-interactive signins for a token refresh, I've modified the query to include

  and not (azure.signinlogs.category == "NonInteractiveUserSignInLogs"
      and azure.signinlogs.properties.status.error_code in (70043, 70044, 50057)
      and azure.signinlogs.properties.incoming_token_type in ("primaryRefreshToken", "refreshToken"))

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?