Password Spray Alert

%3CLINGO-SUB%20id%3D%22lingo-sub-1962259%22%20slang%3D%22en-US%22%3EPassword%20Spray%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962259%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENew%20to%20this%20environment%2C%20so%20I%20hope%20I%20am%20posting%20this%20request%20to%20the%20correct%20location%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERecently%20I%20picked%20up%20a%20users%20account%20in%20azure%20has%20been%20hit%20by%20a%20password%20spray%2C%20but%20noticed%20there%20was%20zero%20Alerts%20in%20cloud%20app%20security.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20configure%20a%20policy%20to%20detect%20and%20alert%20on%20this%20threat%3F%20If%20so%2C%20could%20someone%20guide%20how%20I%20would%20go%20about%20creating%20this%20policy%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1962259%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1962904%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962904%22%20slang%3D%22en-US%22%3EDear%20Magson%2C%3CBR%20%2F%3E%3CBR%20%2F%3EMaybe%20my%20blog%20about%20combining%20Azure%20AD%20Identity%20Protection%20and%20Azure%20ATP%20(Defender%20for%20Identity)%20could%20help%20you%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.patrickvanbemmelen.nl%2Fazure-ad-identity-protection-and-azure-atp-combine-cloud-and-on-prem-id-security%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.patrickvanbemmelen.nl%2Fazure-ad-identity-protection-and-azure-atp-combine-cloud-and-on-prem-id-security%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20will%20find%20guidance%20on%20how%20you%20can%20create%20a%20new%20alert%20policy%20under%20CREATE%20A%20NEW%20POLICY%20WITH%20MAIL%20AND%20TEXT%20(SMS)%20ALERT%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20most%20important%20thing%20to%20notice%20here%20is%20that%20you%20set%20the%20%22App%20equals%20to%22%20to%20Office%20365%20or%20Active%20Directory%20and%20the%20correct%20activity%20type.%3CBR%20%2F%3E%3CBR%20%2F%3EI%20hope%20this%20will%20help%20you%20with%20setting%20the%20policy.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1962932%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1962932%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F399562%22%20target%3D%22_blank%22%3E%40PvB91%3C%2FA%3E%26nbsp%3Bfantastic%20I%20will%20give%20this%20a%20look%20over.%20thank%20you%20for%20your%20time.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1963192%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1963192%22%20slang%3D%22en-US%22%3ENo%20problem%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F861749%22%20target%3D%22_blank%22%3E%40Magson%3C%2FA%3E%2C%20I'm%20here%20to%20help%20and%20happy%20to%20do%20so%20%3A)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2060522%22%20slang%3D%22en-US%22%3ERe%3A%20Password%20Spray%20Alert%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2060522%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F861749%22%20target%3D%22_blank%22%3E%40Magson%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20Patrik%20demonstrated%20in%20his%20blog%20you%20can%20create%20a%20custom%20policy%20to%20detect%20such%20activity%20but%20it%20also%20depends%20on%20app%20connectors%20connected%20to%20your%20MCAS%20instance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20MCAS%20has%20a%20built-in%20policy%20for%20pw%20spray%20detection%20which%20can%20help%20you%20in%20your%20case%2C%20launched%20originally%20in%20release%20176%20called%20%22%3CSTRONG%3EUnusual%20failed%20logon%22.%26nbsp%3B%3C%2FSTRONG%3ETo%20the%20best%20of%20my%20knowledge%2C%20this%20policy%20is%20currently%20named%20%3CSTRONG%3E%22Multiple%20failed%20login%20attempts%22%3C%2FSTRONG%3E.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPolicy%20description%20from%20MCAS%3A%3C%2FP%3E%3CP%3E%3CEM%3ENew%20risky%20activity%20detection%3A%20Unusual%20failed%20logon%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3EWe've%20expanded%20our%20current%20capability%20to%20detect%20risky%20behavior.%20The%20new%20detection%20is%20now%20available%20out-of-the-box%20and%20automatically%20enabled%20to%20alert%20you%20when%20an%20unusual%20failed%20login%20attempt%20is%20identified.%20Unusual%20failed%20login%20attempts%20may%20be%20an%20indication%20of%20a%20potential%20password-spray%20brute%20force%20attack%20(also%20known%20as%20the%20low%20and%20slow%20method).%20This%20detection%20impacts%20the%20overall%20investigation%20priority%20score%20of%20the%20user.%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello All,

 

New to this environment, so I hope I am posting this request to the correct location

 

Recently I picked up a users account in azure has been hit by a password spray, but noticed there was zero Alerts in cloud app security.

 

Is it possible to configure a policy to detect and alert on this threat? If so, could someone guide how I would go about creating this policy?

 

Thank you in advance. 

4 Replies
Dear Magson,

Maybe my blog about combining Azure AD Identity Protection and Azure ATP (Defender for Identity) could help you:

https://www.patrickvanbemmelen.nl/azure-ad-identity-protection-and-azure-atp-combine-cloud-and-on-pr...

You will find guidance on how you can create a new alert policy under CREATE A NEW POLICY WITH MAIL AND TEXT (SMS) ALERT

The most important thing to notice here is that you set the "App equals to" to Office 365 or Active Directory and the correct activity type.

I hope this will help you with setting the policy.

@BemmelenPatrick fantastic I will give this a look over. thank you for your time.

No problem @Magson, I'm here to help and happy to do so :)

Hi @Magson,

 

As Patrik demonstrated in his blog you can create a custom policy to detect such activity but it also depends on app connectors connected to your MCAS instance.

 

Also, MCAS has a built-in policy for pw spray detection which can help you in your case, launched originally in release 176 called "Unusual failed logon". To the best of my knowledge, this policy is currently named "Multiple failed login attempts"

 

Policy description from MCAS:

New risky activity detection: Unusual failed logon
We've expanded our current capability to detect risky behavior. The new detection is now available out-of-the-box and automatically enabled to alert you when an unusual failed login attempt is identified. Unusual failed login attempts may be an indication of a potential password-spray brute force attack (also known as the low and slow method). This detection impacts the overall investigation priority score of the user.