User Account Authentication

An attempt (successful and failed login attempts) by a user, service, or application to gain access to a network, system, or cloud-based resource. This typically involves credentials such as passwords, tokens, multi-factor authentication (MFA), or biometric validation.

Data Collection Measures:

Host-Based Authentication Logs
- Windows Event Logs
  - Event ID 4776 – NTLM authentication attempt.
  - Event ID 4624 – Successful user logon.
  - Event ID 4625 – Failed authentication attempt.
  - Event ID 4648 – Explicit logon with alternate credentials.
- Linux/macOS Authentication Logs
  - /var/log/auth.log, /var/log/secure – Logs SSH, sudo, and other authentication attempts.
  - AuditD – Tracks authentication events via PAM modules.
  - macOS Unified Logs – /var/db/diagnostics captures authentication failures.
Cloud Authentication Logs
- Azure AD Logs
  - Sign-in Logs – Tracks authentication attempts, MFA challenges, and conditional access failures.
  - Audit Logs – Captures authentication-related configuration changes.
  - Microsoft Graph API – Provides real-time sign-in analytics.
- Google Workspace & Office 365
  - Google Admin Console – User Login Report tracks login attempts and failures.
  - Office 365 Unified Audit Logs – Captures logins across Exchange, SharePoint, and Teams.
- AWS CloudTrail & IAM
  - Tracks authentication via AWS IAM AuthenticateUser and sts:GetSessionToken.
  - Logs failed authentications to AWS Management Console and API requests.
Container Authentication Monitoring
- Kubernetes Authentication Logs
  - kubectl audit logs – Captures authentication attempts for service accounts and admin users.
  - Azure Kubernetes Service (AKS) and Google Kubernetes Engine (GKE) – Logs IAM authentication events.

ID: DC0002

Domains: ICS, Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 21 October 2025

Log Sources

Name	Channel
auditd:AUTH	pam_unix or pam_google_authenticator invoked repeatedly within short interval
auditd:SYSCALL	pam_authenticate, sshd
auditd:SYSCALL	execution of ssh, scp, or sftp using previously unseen credentials or keys
auditd:USER_LOGIN	USER_AUTH
AWS:CloudTrail	AssumeRole or ConsoleLogin with repeated MFA failures followed by repeated MFA requests
AWS:CloudTrail	sts:GetFederationToken
AWS:CloudTrail	AssumeRoleWithWebIdentity
AWS:CloudTrail	AWS IAM: ListUsers, ListRoles
AWS:CloudTrail	eventName=ConsoleLogin \| eventType=AwsConsoleSignIn
AWS:CloudTrail	ConsoleLogin or AssumeRole
AWS:CloudTrail	ConsoleLogin, AssumeRole, ListAccessKeys, CreateUser
azure:signinlogs	Success logs from high-risk accounts
azure:signinlogs	Multiple MFA challenge requests without successful primary login
azure:signinlogs	TokenIssued, TokenRenewed: Unexpected or anomalous token issuance events
azure:signinlogs	SignIn: Sign-ins flagged as atypical (new geographic region, unfamiliar device id) shortly after correlated endpoint/browser compromise times
azure:signinlogs	Operation=UserLogin
azure:signinlogs	Unusual Token Usage or Application Consent
azure:signinlogs	OperationName=SetDomainAuthentication OR Set-FederatedDomain
azure:signinlogs	Sign-in with unfamiliar location/device + portal navigation
azure:signinlogs	Login from newly created account
azure:signinlogs	Interactive/Non-Interactive Sign-In
azure:signinlogs	Reset password or download key from portal
azure:signinlogs	status = failure
azure:signinlogs	Sign-in logs
azure:signinlogs	SigninSuccess
azure:signinlogs	Failure Reason + UserPrincipalName
azure:signinlogs	Sign-in activity
azure:signinlogs	Sign-in logs / audit events
esxi:auth	interactive shell or SSH access preceding storage enumeration
esxi:auth	/var/log/auth.log
esxi:auth	SSH session/login
esxi:vpxa	user login from unexpected IP or non-admin user role
esxi:vpxd	/var/log/vmware/vpxd.log
ESXiLogs:authlog	Unexpected login followed by encoding commands
gcp:audit	drive.activity
gcp:audit	login.event
gcp:audit	Sign-in logs / audit events
gcp:workspaceaudit	Token Generation via Domain Delegation
GCPAuditLogs:login.googleapis.com	Failed sign-in events
kubernetes:apiserver	get/list requests to /api/v1/secrets or /api/v1/namespaces/*/serviceaccounts
kubernetes:apiserver	authentication.k8s.io/v1beta1
kubernetes:audit	Failed login
kubernetes:audit	authentication.k8s.io
linux:auth	sshd login
linux:syslog	sudo/date/timedatectl execution by non-standard users
linux:syslog	SSH failed login
linux:syslog	Failed password for invalid user
linux:syslog	sshd[pid]: Failed password
linux:syslog	authentication and authorization events during environmental validation phase
m365:exchange	Logon failure
m365:exchange	FailedLogin
m365:signin	Sign-in from anomalous location or impossible travel condition
m365:signinlogs	UserLoginSuccess
m365:signinlogs	Unusual sign-in from service principal to user mailbox
m365:unified	Delegated permission grants without user login event
m365:unified	login using refresh_token with no preceding authentication context
m365:unified	Sign-in logs
macos:unifiedlog	successful sudo or authentication for account not normally associated with admin actions
macos:unifiedlog	Login success without MFA step
macos:unifiedlog	log show --predicate 'eventMessage contains "Authentication"'
macos:unifiedlog	User credential prompt events without associated trusted installer package
macos:unifiedlog	Login failure / authorization denied
macos:unifiedlog	auth
macos:unifiedlog	Login Window and Authd errors
macos:unifiedlog	authd
network:auth	repeated successful authentications with previously unknown accounts or anomalous password acceptance
networkdevice:syslog	config access, authentication logs
networkdevice:syslog	User privilege escalation to level 15/root prior to destructive commands
networkdevice:syslog	authorization/accounting logs
networkdevice:syslog	Failed and successful logins to network devices outside approved admin IP ranges
networkdevice:syslog	Privileged login followed by destructive format command
networkdevice:syslog	admin login events
networkdevice:syslog	Privileged login followed by destructive command sequence
networkdevice:syslog	AAA, RADIUS, or TACACS authentication
networkdevice:syslog	authentication logs
networkdevice:syslog	AAA or TACACS authentication failures
networkdevice:syslog	authentication & authorization
networkdevice:syslog	login failed
NSM:Connections	Accepted password or publickey for user from remote IP
NSM:Connections	Repeated failed authentication attempts or replay patterns
NSM:Connections	Successful login without expected MFA challenge
NSM:Connections	sshd or PAM logins
NSM:Flow	TGS-REQ and AS-REQ seen for new user shortly after domain-modifying process
Okta:authn	authentication_failure
Okta:SystemLog	eventType: user.authentication.sso, app.oauth2.token.grant
saas-app:auth	login_failure
saas:audit	Repeated requests to SMS-generating endpoints using anomalous or new user agents, IP ranges, or geographies.
saas:auth	signin_failed
saas:googleworkspace	API access without user login
saas:googleworkspace	Accessed third-party credential management service
saas:googleworkspace	login with reused session token and mismatched user agent or IP
saas:googleworkspace	Access via OAuth credentials with unusual scopes or from anomalous IPs
saas:okta	session.impersonation.start
saas:okta	Unusual OAuth app requesting message-read scopes for Slack/Teams/Jira
saas:okta	authentication_failure
saas:okta	Sign-in logs / audit events
saas:salesforce	API login using access_token without login history
saas:salesforce	Login
User Account	None
WinEventLog:Security	EventCode=4625
WinEventLog:Security	EventCode=4769,1200,1202
WinEventLog:Security	EventCode=4768, 4769, 4770
WinEventLog:Security	EventCode=4769
WinEventLog:Security	EventCode=4624, 4625
WinEventLog:Security	EventCode=4625, 4624
WinEventLog:Security	EventCode=4625, 4771, 4648
WinEventLog:Security	4624, 4625
WinEventLog:Security	EventID=4625
WinEventLog:Security	EventCode=4648

Detection Strategy

ID	Name	Technique Detected
DET0210	Abuse of Domain Accounts	T1078.002
DET0120	Account Access Removal via Multi-Platform Audit Correlation	T1531
DET0186	Automated File and API Collection Detection Across Platforms	T1119
DET0354	Behavior-chain detection for T1133 External Remote Services across Windows, Linux, macOS, Containers	T1133
DET0151	Behavior-chain, platform-aware detection strategy for T1124 System Time Discovery	T1124
DET0142	Behavioral Detection of CLI Abuse on Network Devices	T1059.008
DET0516	Behavioral Detection of Command and Scripting Interpreter Abuse	T1059
DET0078	Behavioral Detection of Malicious Cloud API Scripting	T1059.009
DET0338	Behavioral Detection Strategy for Use Alternate Authentication Material (T1550)	T1550
DET0185	Behavioral Detection Strategy for Use Alternate Authentication Material: Application Access Token (T1550.001)	T1550.001
DET0463	Brute Force Authentication Failures with Multi-Platform Log Correlation	T1110
DET0386	Cloud Account Enumeration via API, CLI, and Scripting Interfaces	T1087.004
DET0460	Credential Stuffing Detection via Reused Breached Credentials Across Services	T1110.004
DET0198	Detect Abuse of Container APIs for Credential Access	T1552.007
DET0412	Detect Access or Search for Unsecured Credentials Across Platforms	T1552
DET0190	Detect MFA Modification or Disabling Across Platforms	T1556.006
DET0272	Detect Modification of Network Device Authentication via Patched System Images	T1556.004
DET0111	Detect Unsecured Credentials Shared in Chat Messages	T1552.008
DET0074	Detect Use of Stolen Web Session Cookies Across Platforms	T1550.004
DET0546	Detection of Abused or Compromised Cloud Accounts for Access and Persistence	T1078.004
DET0291	Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access	T1538
DET0465	Detection of Default Account Abuse Across Platforms	T1078.001
DET0270	Detection of Domain or Tenant Policy Modifications via AD and Identity Provider	T1484
DET0407	Detection of Local Account Abuse for Initial Access and Persistence	T1078.003
DET0560	Detection of Valid Account Abuse Across Platforms	T1078
DET0724	Detection of Valid Accounts	T0859
DET0509	Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts	T1539
DET0108	Detection Strategy for Data Encoding in C2 Channels	T1132
DET0316	Detection Strategy for Disk Content Wipe via Direct Access and Overwrite	T1561.001
DET0297	Detection Strategy for Disk Structure Wipe via Boot/Partition Overwrite	T1561.002
DET0137	Detection Strategy for Disk Wipe via Direct Disk Access and Destructive Commands	T1561
DET0558	Detection Strategy for ESXi Hypervisor CLI Abuse	T1059.012
DET0174	Detection Strategy for Exploitation for Credential Access	T1212
DET0148	Detection Strategy for Forged SAML Tokens	T1606.002
DET0160	Detection Strategy for Multi-Factor Authentication Request Generation (T1621)	T1621
DET0233	Detection Strategy for Network Device Configuration Dump via Config Repositories	T1602.002
DET0314	Detection Strategy for Network Sniffing Across Platforms	T1040
DET0156	Detection Strategy for Resource Hijacking: SMS Pumping via SaaS Application Logs	T1496.003
DET0319	Detection Strategy for T1136.003 - Cloud Account Creation across IaaS, IdP, SaaS, Office	T1136.003
DET0515	Detection Strategy for T1528 - Steal Application Access Token	T1528
DET0352	Detection Strategy for T1550.003 - Pass the Ticket (Windows)	T1550.003
DET0393	Detection Strategy for Temporary Elevated Cloud Access Abuse (T1548.005)	T1548.005
DET0536	Detection Strategy for Wi-Fi Networks	T1669
DET0487	Distributed Password Spraying via Authentication Failures Across Multiple Accounts	T1110.003
DET0176	Drive-by Compromise — Behavior-based, Multi-platform Detection Strategy (T1189)	T1189
DET0229	Enumeration of Global Address Lists via Email Account Discovery	T1087.003
DET0054	Internal Spearphishing via Trusted Accounts	T1534
DET0188	Local Storage Discovery via Drive Enumeration and Filesystem Probing	T1680
DET0395	macOS AuthorizationExecuteWithPrivileges Elevation Prompt Detection	T1548.004
DET0484	Multi-Platform Cloud Storage Exfiltration Behavior Chain	T1530
DET0562	Multi-Platform Execution Guardrails Environmental Validation Detection Strategy	T1480
DET0551	Password Guessing via Multi-Source Authentication Failure Correlation	T1110.001
DET0105	Post-Credential Dump Password Cracking Detection via Suspicious File Access and Hash Analysis Tools	T1110.002
DET0003	T1136.002 Detection Strategy - Domain Account Creation Across Platforms	T1136.002