Forum Discussion
Brute force detection in Defender for Identity
Hi, Defender for Identity and Sentinel both offer detection capabilities for brute force attacks such as password guessing and password spray (Mitre T1110). Sentinel is detecting this technique ...
_Mathias_ Unfortunately not, there would be no way for even Defender for identity to know if the same password is being used or something different due to the password being encrypted and a random hash value being sent (from my understanding)
Best course of action here is to create a ML based analytic that detects how many attempts someone has made, how fast and within what time pattern
Check out the below for further information
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/anomaly-detection
BillClarksonAntillThank you for your reply. My understanding is the same but I have observed the following and similar alerts from Defender for Identity in our environments:
An actor on Device XXX tried 25 passwords on User YYY.
Reading the title, I would assume that the actor has tried 25 different passwords and Defender was somehow able to determine that the passwords used were not the same in each attempt. Otherwise the title is somewhat misleading and should read something along the lines of 'An actor on Device XXX attempted to logon to User YYY 25 times.
Any thoughts?
