Password Spray Alert Policy

I don't think it's supported yet. Microsoft is currently looking for this information based on user instead of IP.  You might want to submit a user voice for this feature request.

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/7498858-cloud-app-discovery-adding-new-app

---

Tom Somerville wrote:

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 

---

---

Tom Somerville wrote:

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 

---