Brute force attack against a Cloud PC will trigger on non-Cloud PCs

[andrewj-t]

Describe the bug
The way the detection rule Brute force attack against a Cloud PC is named/described is confusing.
The rule as written filters to | where AppDisplayName =~ "Windows Sign In" which is used by any Entra-Joined or Hybrid Joined machine. Not just Windows 365 Cloud PCs.

To Reproduce
Steps to reproduce the behavior:

1. Install the rule in an environment where Windows 365 is not deployed, but Entra-Joined machines are used
2. On an entra-joined machine, fail authenticating multiple times to trigger rule rule

Expected behavior
The rule should only fire where Windows 365 cloud PCs expierence the issue

Desktop (please complete the following information):

• OS: Windows 11 (Completed Testing with this OS)

Additional context
I can see two possible paths to fix the issue:

1. Add additional filters to the rule to filter to Windows 365 Cloud PCs only. I installed Windows 365 Cloud PC for business in my test environment and the only way I could clearly identify that it was a Cloud PC was that the device name prefix. But this still has a potential to be a high false positive if customers happen to use that naming for other things. ie

| where tostring(DeviceDetail.displayName) startswith "CPC-"

output-cloudpc-sanitized.json

2. Update the description and name of the rule reflect what it detects more accurtately. My suggestion:
   Name: Brute force attack against a Entra-joined PC
   Description:

Identifies evidence of brute force activity against an Entra Joined (or Entra Hybrid-Joined) PC by highlighting multiple authentication failures and by a successful authentication within a given time window.

[v-utpalkumar]

Hello @andrewj-t, thanks for flagging this issue! We will investigate this issue and get back to you with some updates. Thank you!

[v-utpalkumar]

Hello @andrewj-t! It seems that updating the name and description would be the better approach here. Adding extra filters could introduce false positives and unnecessary complexity, may also potentially lead to missed detections. I’ll proceed with updating the name and description, raise a PR, and share it here. Thank you!

name: Brute force attack against an Entra-authenticated Windows device
description: |
  'Identifies evidence of brute force activity against Windows devices authenticated via Entra ID (including Entra-joined, hybrid-joined, and Windows 365 Cloud PCs) by detecting multiple authentication failures followed by a successful authentication within a defined time window.'