Intense SSO failures

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	1 Day
Required Data	Requires: AzureAD Requires: Okta Requires: OneLogin
Detection Modules	Identity Analytics
ATT&CK Tactic	Credential Access (TA0006) Initial Access (TA0001)
ATT&CK Technique	Valid Accounts (T1078) Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001)
Severity	Informational

Description

An abnormally high amount of SSO authentication attempts were seen within a short period of time.
This could be the outcome of a brute-force login attempt.

Attacker's Goals

An attacker is attempting to gain access to an account secured with MFA.

Investigative actions

Check the legitimacy of this activity and determine whether it is malicious or not.
Check whether a successful login was made after unsuccessful attempts.

Variations

Intense SSO failures with suspicious characteristics

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An abnormally high amount of SSO authentication attempts were seen within a short period of time.
This could be the outcome of a brute-force login attempt.

Attacker's Goals

An attacker is attempting to gain access to an account secured with MFA.

Investigative actions

Check the legitimacy of this activity and determine whether it is malicious or not.
Check whether a successful login was made after unsuccessful attempts.