Forum Discussion
Origins of leaked cred alarm
Hi,
Just wondering if any one know how to dig out more information when the Leaked Credential alarm is raised. Trying to figure out the source of the alarm so we can do some more focused hunting, and managers\clients tend to like this information.
Regards
John L
- Hi,
As explained before, this is an Azure AD Identity Protection detection, not an MCAS one.
I don't think AAD exposes the exact location on the Dark Web where they identify those credentials. You can open a support request for AAD to confirm if you want to.
Best regards
3 Replies
Sebastien MolendijkMicrosoft
Hi jlouden
This alert comes from Azure AD Identity Protection that we now expose in the MCAS SecOps portal preview.
This is an offline detection described here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#leaked-credentials
Have a great day!
We got the alarm, but what is missing is where Microsoft Security spotted the cred's in the first place. While I'm not a massive fan of attribution, aka blaming state actor abc, I think having a process to understand where the alert came from will assist in a preventative and hunting activities.
Could I log a support case with Azure to find out where this information came from,?
Regards
JOhn
- Hi,
As explained before, this is an Azure AD Identity Protection detection, not an MCAS one.
I don't think AAD exposes the exact location on the Dark Web where they identify those credentials. You can open a support request for AAD to confirm if you want to.
Best regards
