Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: normal traffic, credential stuffing threats, signup attack threats, and bypass threats.
Classification of event type codes may change. Avoid implementing solutions dependent on the current log event code definitions.

Normal traffic

We use normal traffic to establish a benchmark against different threat types we may observe. Normal traffic includes all successful and failed events for a given hour, which includes the following event codes:
Event codeEvent
sSuccessful login
ssSuccessful signup
sepftSuccessful exchange of password for access token
fFailed user login
fuFailed user login due to invalid username
fpFailed user login due to invalid password
pwd_leakAttempted login with a leaked password

Credential stuffing

We identify credential stuffing threats within a single hour with the following event codes:
Event codeEvent
fFailed user login
fuFailed user login due to invalid username
fpFailed user login due to invalid password
pwd_leakAttempted login with a leaked password
limit_wcIP blocked for >10 failed login attempts to a single account
limit_sulUser blocked for >20 login per minute from the same IP address
limit_muIP blocked for >100 failed login attempts or >50 signup attempts

Signup attack

We identify signup attack threats within a single hour with the following event codes:
Event codeEvent
fsFailed signup

MFA bypass

We identify MFA bypass threats within a single hour with the following event codes:
Event codeEvent
gd_send_emailSent email
gd_send_pnSent push notification
gd_send_smsSent SMS
gd_send_voiceSent voice call
gd_auth_failedFailed OTP authentication
gd_auth_rejectedRejected OTP authentication
gd_otp_rate_limit_exceedToo many OTP authentication failures
gd_recovery_failedFailed recovery
gd_recovery_rate_limit_exceedToo many recovery failures
gd_webauthn_challenge_failed.WebAuthn browser failure