Metrics

Security Center uses tenant log events to identify patterns that are usually an indicator of known attack types. We classify tenant log event patterns into categories: credential stuffing threats, signup attack threats, and bypass threats.

Classification of event type codes may change. Avoid implementing solutions dependent on the current log event code definitions.

Credential stuffing

We identify credential stuffing threats within a single hour with the following event codes:

Event code	Event
`f`	Failed user login
`fu`	Failed user login due to invalid username
`fp`	Failed user login due to invalid password
`pwd_leak`	Attempted login with a leaked password
`limit_wc`	IP blocked for >10 failed login attempts to a single account
`limit_sul`	User blocked for >20 login per minute from the same IP address
`limit_mu`	IP blocked for >100 failed login attempts or >50 signup attempts

We identify signup attack threats within a single hour with the following event codes:

Event code	Event
`fs`	Failed signup

MFA bypass

We identify MFA bypass threats within a single hour with the following event codes:

Event code	Event
`gd_send_email`	Sent email
`gd_send_pn`	Sent push notification
`gd_send_sms`	Sent SMS
`gd_send_voice`	Sent voice call
`gd_auth_failed`	Failed OTP authentication
`gd_auth_rejected`	Rejected OTP authentication
`gd_otp_rate_limit_exceed`	Too many OTP authentication failures
`gd_recovery_failed`	Failed recovery
`gd_recovery_rate_limit_exceed`	Too many recovery failures
`gd_webauthn_challenge_failed`.	WebAuthn browser failure

Protect Your Application

Call APIs On User's Behalf

Protect Your Tenant

Compliance

Metrics

Credential stuffing

MFA bypass

Protect Your Application

Call APIs On User's Behalf

Protect Your Tenant

Compliance

​Credential stuffing

​Signup attack

​MFA bypass

Credential stuffing

Signup attack

MFA bypass