Dec 07 2020 03:27 AM
Hello All,
New to this environment, so I hope I am posting this request to the correct location
Recently I picked up a users account in azure has been hit by a password spray, but noticed there was zero Alerts in cloud app security.
Is it possible to configure a policy to detect and alert on this threat? If so, could someone guide how I would go about creating this policy?
Thank you in advance.
Dec 07 2020 06:58 AM
Dec 07 2020 07:04 AM
@BemmelenPatrick fantastic I will give this a look over. thank you for your time.
Dec 07 2020 08:06 AM
Jan 14 2021 04:14 AM
Hi @Magson,
As Patrik demonstrated in his blog you can create a custom policy to detect such activity but it also depends on app connectors connected to your MCAS instance.
Also, MCAS has a built-in policy for pw spray detection which can help you in your case, launched originally in release 176 called "Unusual failed logon". To the best of my knowledge, this policy is currently named "Multiple failed login attempts".
Policy description from MCAS:
New risky activity detection: Unusual failed logon
We've expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.