Metrics
Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: normal traffic, credential stuffing threats, signup attack threats, and MFA bypass threats.
Normal traffic
We use normal traffic to establish a benchmark against different threat types we may observe. Normal traffic includes all successful and failed events for a given hour, which includes the following event codes:
Event code | Event |
---|---|
s |
Successful login |
ss |
Successful signup |
f |
Failed user login |
fu |
Failed user login due to invalid username |
fp |
Failed user login due to invalid password |
pwd_leak |
Attempted login with a leaked password |
Credential stuffing
We identify credential stuffing threats within a single hour with the following event codes:
Event code | Event |
---|---|
f |
Failed user login |
fu |
Failed user login due to invalid username |
fp |
Failed user login due to invalid password |
fs |
Failed signup |
pwd_leak |
Attempted login with a leaked password |
limit_wc |
IP blocked for >10 failed login attempts to a single account |
limit_sul |
User blocked for >20 login per minute from the same IP address |
limit_mu |
IP blocked for >100 failed login attempts or >50 signup attempts |
Signup attack
We identify signup attack threats within a single hour with the following event codes:
Event code | Event |
---|---|
fs |
Failed signup |
MFA bypass
We identify MFA bypass threats within a single hour with the following event codes:
Event code | Event |
---|---|
cs |
Sent code |
cls |
Sent code/link |
gd_send_pn |
Sent push notification |
gd_send_sms |
Sent SMS |
gd_auth_failed |
Failed OTP authentication |
gd_auth_rejected |
Rejected OTP authentication |
gd_otp_rate_limit_exceed |
Too many OTP authentication failures |
gd_recovery_failed |
Failed recovery |
gd_recovery_rate_limit_exceed |
Too many recovery failures |