Accounts are being locked out due to repeated failed authentication attempts, which may indicate a password spray attack attempting to guess valid credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential compromise before further lateral movement or data exfiltration occurs.
KQL Query
SigninLogs
| where ResultType == 50053
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
id: 02e86bf2-172c-4444-ae8e-e94c5ce2bea3
name: Smart Lockouts
description: |
'Identifies accounts that have been locked out by smart lockout policies. Review this results for patterns that might suggest that a password spray is triggering these smart lockout events.
Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
tactics:
- InitialAccess
relevantTechniques:
- T1078.004
query: |
SigninLogs
| where ResultType == 50053
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
| Sentinel Table | Notes |
|---|---|
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job Credential Rotation
Description: A scheduled job runs nightly to rotate credentials for a database using a service account, which temporarily locks out the account during the rotation process.
Filter/Exclusion: Exclude events where the account is a service account used for credential rotation and the event occurs during a known maintenance window.
Scenario: Admin Task Password Reset
Description: An administrator resets a user’s password via the Azure AD portal, which triggers a temporary lockout due to the password change process.
Filter/Exclusion: Exclude events where the account is a user account and the event is associated with a password reset initiated by an admin via Azure AD.
Scenario: Multi-Factor Authentication (MFA) Enrollment
Description: A user attempts to enroll for MFA using a new phone number, which results in a temporary lockout due to MFA configuration issues.
Filter/Exclusion: Exclude events where the account is a user account and the event is related to MFA enrollment or configuration changes.
Scenario: Password Expiration Policy Trigger
Description: A user account is locked out due to password expiration, as the system enforces a password expiration policy and requires the user to change their password.
Filter/Exclusion: Exclude events where the account is a user account and the event is associated with password expiration policy enforcement.
Scenario: Third-Party System Integration
Description: A third-party system (e.g., ServiceNow) attempts to authenticate against an enterprise account using outdated credentials, resulting in a lockout.
Filter/Exclusion: Exclude events where the account is a service account used by a third-party system and the event is logged during a system integration test or maintenance.