SOLVED

Origins of leaked cred alarm

%3CLINGO-SUB%20id%3D%22lingo-sub-738950%22%20slang%3D%22en-US%22%3EOrigins%20of%20leaked%20cred%20alarm%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-738950%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJust%20wondering%20if%20any%20one%20know%20how%20to%20dig%20out%20more%20information%20when%20the%20Leaked%20Credential%20alarm%20is%20raised.%20Trying%20to%20figure%20out%20the%20source%20of%20the%20alarm%20so%20we%20can%20do%20some%20more%20focused%20hunting%2C%20and%20managers%5Cclients%20tend%20to%20like%20this%20information.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3CBR%20%2F%3EJohn%20L%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-738950%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EThreat%20protection%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-744182%22%20slang%3D%22en-US%22%3ERe%3A%20Origins%20of%20leaked%20cred%20alarm%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-744182%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F355592%22%20target%3D%22_blank%22%3E%40jlouden%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20alert%20comes%20from%20Azure%20AD%20Identity%20Protection%20that%20we%20now%20expose%20in%20the%20MCAS%20SecOps%20portal%20preview.%3C%2FP%3E%0A%3CP%3EThis%20is%20an%20offline%20detection%20described%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-risk-events%23leaked-credentials%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-risk-events%23leaked-credentials%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHave%20a%20great%20day!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-749069%22%20slang%3D%22en-US%22%3ERe%3A%20Origins%20of%20leaked%20cred%20alarm%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-749069%22%20slang%3D%22en-US%22%3E%3CP%3EHey%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20got%20the%20alarm%2C%20but%20what%20is%20missing%20is%20where%20Microsoft%20Security%20spotted%20the%20cred's%20in%20the%20first%20place.%20While%20I'm%20not%20a%20massive%20fan%20of%20attribution%2C%20aka%20blaming%20state%20actor%20abc%2C%20I%20think%20having%20a%20process%20to%20understand%20where%20the%20alert%20came%20from%20will%20assist%20in%20a%20preventative%20and%20hunting%20activities.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20I%20log%20a%20support%20case%20with%20Azure%20to%20find%20out%20where%20this%20information%20came%20from%2C%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3EJOhn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758623%22%20slang%3D%22en-US%22%3ERe%3A%20Origins%20of%20leaked%20cred%20alarm%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758623%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20explained%20before%2C%20this%20is%20an%20Azure%20AD%20Identity%20Protection%20detection%2C%20not%20an%20MCAS%20one.%3CBR%20%2F%3EI%20don't%20think%20AAD%20exposes%20the%20exact%20location%20on%20the%20Dark%20Web%20where%20they%20identify%20those%20credentials.%20You%20can%20open%20a%20support%20request%20for%20AAD%20to%20confirm%20if%20you%20want%20to.%3CBR%20%2F%3E%3CBR%20%2F%3EBest%20regards%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi,

 

Just wondering if any one know how to dig out more information when the Leaked Credential alarm is raised. Trying to figure out the source of the alarm so we can do some more focused hunting, and managers\clients tend to like this information.

 

Regards
John L

3 Replies
Highlighted

Hi @jlouden 

 

This alert comes from Azure AD Identity Protection that we now expose in the MCAS SecOps portal preview.

This is an offline detection described here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#leake...

 

Have a great day!

Highlighted

Hey @Sebastien Molendijk 

 

We got the alarm, but what is missing is where Microsoft Security spotted the cred's in the first place. While I'm not a massive fan of attribution, aka blaming state actor abc, I think having a process to understand where the alert came from will assist in a preventative and hunting activities.

 

Could I log a support case with Azure to find out where this information came from,?

 

Regards

JOhn

Highlighted
Best Response confirmed by jlouden (Occasional Contributor)
Solution
Hi,

As explained before, this is an Azure AD Identity Protection detection, not an MCAS one.
I don't think AAD exposes the exact location on the Dark Web where they identify those credentials. You can open a support request for AAD to confirm if you want to.

Best regards