Metrics

Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: normal traffic, credential stuffing threats, signup attack threats, and MFA bypass threats.

Normal traffic

We use normal traffic to establish a benchmark against different threat types we may observe. Normal traffic includes all successful and failed events for a given hour, which includes the following event codes:

Event code Event
s Successful login
ss Successful signup
sepft Successful exchange of password for access token
f Failed user login
fu Failed user login due to invalid username
fp Failed user login due to invalid password
pwd_leak Attempted login with a leaked password

Credential stuffing

We identify credential stuffing threats within a single hour with the following event codes:

Event code Event
f Failed user login
fu Failed user login due to invalid username
fp Failed user login due to invalid password
pwd_leak Attempted login with a leaked password
limit_wc IP blocked for >10 failed login attempts to a single account
limit_sul User blocked for >20 login per minute from the same IP address
limit_mu IP blocked for >100 failed login attempts or >50 signup attempts

Signup attack

We identify signup attack threats within a single hour with the following event codes:

Event code Event
fs Failed signup

MFA bypass

We identify MFA bypass threats within a single hour with the following event codes:

Event code Event
cs Sent code
cls Sent code/link
gd_send_pn Sent push notification
gd_send_sms Sent SMS
gd_auth_failed Failed OTP authentication
gd_auth_rejected Rejected OTP authentication
gd_otp_rate_limit_exceed Too many OTP authentication failures
gd_recovery_failed Failed recovery
gd_recovery_rate_limit_exceed Too many recovery failures