Forum Discussion

Magson's avatar
Magson
Copper Contributor
Dec 07, 2020

Password Spray Alert

Hello All,   New to this environment, so I hope I am posting this request to the correct location   Recently I picked up a users account in azure has been hit by a password spray, but noticed the...
Cloud App Security
SamiLamppu's avatar
SamiLamppu
Brass Contributor
Jan 14, 2021

Hi Magson,

 

As Patrik demonstrated in his blog you can create a custom policy to detect such activity but it also depends on app connectors connected to your MCAS instance.

 

Also, MCAS has a built-in policy for pw spray detection which can help you in your case, launched originally in release 176 called "Unusual failed logon". To the best of my knowledge, this policy is currently named "Multiple failed login attempts"

 

Policy description from MCAS:

New risky activity detection: Unusual failed logon
We've expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.

Resources