What Changed
The KQL filter in SigninAttemptsByIPviaDisabledAccounts previously matched only the longer ResultDescription string for ResultType 50057. This has been updated to an in operator covering both known AADSTS50057 variants.
Detection Logic
- Data sources: SigninLogs, AADNonInteractiveUserSignInLogs
- Core logic: Identifies IPs that generated failed sign-in attempts against disabled accounts (ResultType 50057), then correlates those IPs against successful sign-ins to surface potential credential spraying or persistence attempts using disabled account credentials.
- Entity mappings: Account (UserPrincipalName), IP (IPAddress)
Security Impact
Deployments running rule version 2.1.3 or earlier had a detection gap: sign-in events returning the shorter ResultDescription value The user account is disabled. were not matched, producing no alerts and therefore no incidents. This variant was confirmed to appear in both Commercial and Government tenants across both interactive and non-interactive authentication flows.
Per the PR description: the shorter string was introduced earlier in Commercial tenants before propagating to Government tenants - meaning the gap window varied by tenant type. The fix aligns the rule with the documented AADSTS50057 error variants in the Microsoft Entra error code reference.
Immediate action recommended: If you rely on this rule for disabled-account brute-force visibility, verify your tenant is running rule version 2.1.4 (Solution v3.3.15).
MITRE Mapping
- T1110 - Brute Force (detection target: repeated sign-in attempts against disabled accounts from a single IP)
- T1078 - Valid Accounts (adversary context: probing accounts that may have been disabled post-compromise)
Affected Files
Solutions/Microsoft Entra ID/Analytic Rules/SigninAttemptsByIPviaDisabledAccounts.yaml
(packaging artefacts: 3.3.15.zip, ReleaseNotes.md, Solution_AAD.json, mainTemplate.json)