A high volume of authentication failures using a single password (or small set) across many different user accounts within a defined time window
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4625, 4771, 4648 |
| Field | Description |
|---|---|
| PasswordReuseThreshold | Number of distinct accounts a password is used against before alerting |
| TimeWindow | Window over which the correlation is measured (e.g., 10 mins) |
| TargetGroupFilter | Limit detection to sensitive or monitored user groups (e.g., Admins) |
Authentication failures across different accounts using a repeated or similar password via SSH or PAM stack within a short window
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | linux:syslog | Failed password for invalid user |
| Field | Description |
|---|---|
| PasswordReusePattern | Repetition or minor variation of the same password across user attempts |
| IPAggregationWindow | Length of time to observe distributed spray attempts from single source |
Multiple failed login attempts across different users using common password patterns (e.g., 'Welcome2023')
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | macos:unifiedlog | Login Window and Authd errors |
| Field | Description |
|---|---|
| RetryCountThreshold | Total number of attempts before alerting |
| CommonPasswordList | List of passwords considered suspicious due to widespread use |
Sign-in failures across enterprise SSO applications or SaaS platforms from same IP address using the same password against multiple user identities
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | Failure Reason + UserPrincipalName |
| Field | Description |
|---|---|
| GeoIPAnomalyCheck | Use geolocation mismatches to strengthen signal |
| FailedUserRatio | Proportion of total user base affected to filter noise |
Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | networkdevice:syslog | AAA or TACACS authentication failures |
| Field | Description |
|---|---|
| AuthFailureBurst | Cluster of failed attempts in short period indicating spray |
| InterfaceFilter | Limit detection to console/SSH vs web UI interfaces |
Repeated failed authentication attempts to container APIs, control planes, or login shells across many user names using same password
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | kubernetes:audit | Failed login |
| Field | Description |
|---|---|
| OrchestrationScope | Detect spray attempts scoped to single pod vs full cluster |
| ServiceAccountFilter | Limit detection to non-service accounts to reduce noise |
Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | m365:exchange | FailedLogin |
| Field | Description |
|---|---|
| MailboxAccessAttempts | Threshold on mailbox login failures by same IP |
| EmailPatternAnalysis | Match target usernames to common spray dictionaries |
SaaS applications receiving authentication failures for dozens of accounts using same password or login signature
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:auth | signin_failed |
| Field | Description |
|---|---|
| CloudAppScope | Restrict detection to identity providers or select high-risk SaaS platforms |
| UserPopulationSensitivity | Adjust based on size and role of account pool |