Password Spray Alert Policy

%3CLINGO-SUB%20id%3D%22lingo-sub-174031%22%20slang%3D%22en-US%22%3EPassword%20Spray%20Alert%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-174031%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%0A%3CP%3ENew%20to%20the%20forums%20and%20to%20CAS.%3C%2FP%3E%0A%3CP%3EWe%20are%20an%20O365%20customer%2C%20with%20licensing%20for%20CAS%2C%20and%20I%20am%20trying%20to%20generate%20an%20alert%20policy%20for%20a%20password%20spray%20attack.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20the%20alert%20to%20trigger%20if%20%26gt%3B10%20failed%20logon%20attempts%20occur%20within%20a%2010%20minute%20period%2C%20from%20a%20single%20IP%20address.%20(number%20of%20failed%20attempts%20and%20number%20of%20minutes%20a%20little%20flexible.)%3C%2FP%3E%0A%3CP%3EI%20see%20if%20a%20singular%20event%20happens%2C%20or%20multiple%20events%20per%20user%20happen%2C%20which%20are%20great%2C%20but%20what%20about%20multiple%20events%20per%20IP%2C%20or%20per%20App%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20help%20with%20locating%20where%20these%20types%20of%20rules%20are%20would%20be%20great%2C%20ty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-174031%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204735%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204735%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3BUnfortunately%2C%20still%20no%20support%20for%20this.%20I%20am%20downloading%20the%20logs%20out%20of%20O365%2C%20and%20running%20them%20through%20a%20custom%20powershell%20script%20to%20look%20for%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F41501%22%20target%3D%22_blank%22%3E%40microsoft%3C%2FA%3E%2C%20any%20update%20on%20when%20you%20will%20update%20alert%20policies%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-204542%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-204542%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20looking%20for%20the%20same%20thing.%20Any%20news%20on%20this%20request%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-178370%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-178370%22%20slang%3D%22en-US%22%3E%3CP%3EI%20don't%20think%20it's%20supported%20yet.%20Microsoft%20is%20currently%20looking%20for%20this%20information%20based%20on%20user%20instead%20of%20IP.%26nbsp%3B%20You%20might%20want%20to%20submit%20a%20user%20voice%20for%20this%20feature%20request.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F7498858-cloud-app-discovery-adding-new-app%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Ffeedback.azure.com%2Fforums%2F169401-azure-active-directory%2Fsuggestions%2F7498858-cloud-app-discovery-adding-new-app%3C%2FA%3E%3C%2FP%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130332%22%20target%3D%22_blank%22%3E%40Tom%20Somerville%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EHello%20All%2C%3C%2FP%3E%0A%3CP%3ENew%20to%20the%20forums%20and%20to%20CAS.%3C%2FP%3E%0A%3CP%3EWe%20are%20an%20O365%20customer%2C%20with%20licensing%20for%20CAS%2C%20and%20I%20am%20trying%20to%20generate%20an%20alert%20policy%20for%20a%20password%20spray%20attack.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20the%20alert%20to%20trigger%20if%20%26gt%3B10%20failed%20logon%20attempts%20occur%20within%20a%2010%20minute%20period%2C%20from%20a%20single%20IP%20address.%20(number%20of%20failed%20attempts%20and%20number%20of%20minutes%20a%20little%20flexible.)%3C%2FP%3E%0A%3CP%3EI%20see%20if%20a%20singular%20event%20happens%2C%20or%20multiple%20events%20per%20user%20happen%2C%20which%20are%20great%2C%20but%20what%20about%20multiple%20events%20per%20IP%2C%20or%20per%20App%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20help%20with%20locating%20where%20these%20types%20of%20rules%20are%20would%20be%20great%2C%20ty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CBLOCKQUOTE%3E%3CHR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F130332%22%20target%3D%22_blank%22%3E%40Tom%20Somerville%3C%2FA%3E%20wrote%3A%3CBR%20%2F%3E%3CP%3EHello%20All%2C%3C%2FP%3E%0A%3CP%3ENew%20to%20the%20forums%20and%20to%20CAS.%3C%2FP%3E%0A%3CP%3EWe%20are%20an%20O365%20customer%2C%20with%20licensing%20for%20CAS%2C%20and%20I%20am%20trying%20to%20generate%20an%20alert%20policy%20for%20a%20password%20spray%20attack.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20want%20the%20alert%20to%20trigger%20if%20%26gt%3B10%20failed%20logon%20attempts%20occur%20within%20a%2010%20minute%20period%2C%20from%20a%20single%20IP%20address.%20(number%20of%20failed%20attempts%20and%20number%20of%20minutes%20a%20little%20flexible.)%3C%2FP%3E%0A%3CP%3EI%20see%20if%20a%20singular%20event%20happens%2C%20or%20multiple%20events%20per%20user%20happen%2C%20which%20are%20great%2C%20but%20what%20about%20multiple%20events%20per%20IP%2C%20or%20per%20App%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAny%20help%20with%20locating%20where%20these%20types%20of%20rules%20are%20would%20be%20great%2C%20ty.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CHR%20%2F%3E%3C%2FBLOCKQUOTE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177531%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177531%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20clarification.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-177525%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%20Policy%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-177525%22%20slang%3D%22en-US%22%3E%3CP%3EToday%20we%20only%20support%20repeated%20activity%20by%20a%20single%20user%20not%20IP%20address.%26nbsp%3B%20We%20will%20look%20into%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 

5 Replies

Today we only support repeated activity by a single user not IP address.  We will look into this.

Thank you for clarification. 

 

I don't think it's supported yet. Microsoft is currently looking for this information based on user instead of IP.  You might want to submit a user voice for this feature request.

 

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/7498858-cloud-app-discov...


@Tom Somerville wrote:

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 



@Tom Somerville wrote:

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 


 

I was looking for the same thing. Any news on this request? 

 Unfortunately, still no support for this. I am downloading the logs out of O365, and running them through a custom powershell script to look for this.

 

@microsoft, any update on when you will update alert policies?