cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Password Spray Alert

Magson
Copper Contributor

‎Dec 07 2020 03:27 AM

‎Dec 07 2020 03:27 AM

Password Spray Alert

Hello All,

 

New to this environment, so I hope I am posting this request to the correct location

 

Recently I picked up a users account in azure has been hit by a password spray, but noticed there was zero Alerts in cloud app security.

 

Is it possible to configure a policy to detect and alert on this threat? If so, could someone guide how I would go about creating this policy?

 

Thank you in advance. 

Labels:
2,422 Views
0 Likes
4 Replies
Reply
4 Replies
BemmelenPatrick

‎Dec 07 2020 06:58 AM

‎Dec 07 2020 06:58 AM

Re: Password Spray Alert

Dear Magson,

Maybe my blog about combining Azure AD Identity Protection and Azure ATP (Defender for Identity) could help you:

https://www.patrickvanbemmelen.nl/azure-ad-identity-protection-and-azure-atp-combine-cloud-and-on-pr...

You will find guidance on how you can create a new alert policy under CREATE A NEW POLICY WITH MAIL AND TEXT (SMS) ALERT

The most important thing to notice here is that you set the "App equals to" to Office 365 or Active Directory and the correct activity type.

I hope this will help you with setting the policy.
0 Likes
Reply
Magson

‎Dec 07 2020 07:04 AM

‎Dec 07 2020 07:04 AM

Re: Password Spray Alert

@BemmelenPatrick fantastic I will give this a look over. thank you for your time.

0 Likes
Reply
BemmelenPatrick

‎Dec 07 2020 08:06 AM

‎Dec 07 2020 08:06 AM

Re: Password Spray Alert

No problem @Magson, I'm here to help and happy to do so :)
0 Likes
Reply
Sami Lamppu

‎Jan 14 2021 04:14 AM

‎Jan 14 2021 04:14 AM

Re: Password Spray Alert

Hi @Magson,

 

As Patrik demonstrated in his blog you can create a custom policy to detect such activity but it also depends on app connectors connected to your MCAS instance.

 

Also, MCAS has a built-in policy for pw spray detection which can help you in your case, launched originally in release 176 called "Unusual failed logon". To the best of my knowledge, this policy is currently named "Multiple failed login attempts"

 

Policy description from MCAS:

New risky activity detection: Unusual failed logon
We've expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.

0 Likes
Reply