M365 Identity Unusual SSO Authentication Errors for User

About

Tags

Domain: IdentityData Source: Microsoft 365Data Source: Microsoft 365 Audit LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

47

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Valid Accounts (T1078)(external, opens in a new tab or window)

↳ Phishing (T1566)(external, opens in a new tab or window)

False Positive Examples

Initial SSO configuration issues or first-time federation setup errors for legitimate users may trigger this detection. Temporary federation service outages affecting multiple users simultaneously.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

New Terms Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-o365.audit-*filebeat-*

Related Integrations

o365(external, opens in a new tab or window)

Query

✄𐘗
text code block:
✄𐘗event.dataset:o365.audit
    and event.provider:AzureActiveDirectory
    and event.category:authentication
    and o365.audit.ErrorNumber:(
        20001 or 20012 or 20033 or 40008 or 40009 or 40015 or
        50006 or 50008 or 50012 or 50013 or 50027 or 50048 or
        50099 or 50132 or 75005 or 75008 or 75011 or 75016 or
        81004 or 81009 or 81010 or 399284 or 500212 or 500213 or
        700005 or 5000819
    )