cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding alert Password Spray in MCAS with details

Rberlinski
Copper Contributor

‎May 26 2021 11:11 AM

‎May 26 2021 11:11 AM

Understanding alert Password Spray in MCAS with details

Hello, we are facing alert in our MCAS "Risky sign-in: password spray". There is one activity associated with that after clicking on this alert:
Description: Failed log on (Failure message: Strong authentication is required.)
Type: (in app): Login:login
User: (our user)
IP address: some remote IP


I have readed about this here: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/advancing-password-spray-atta...


But my question is what it means in details? 
- Our user from activity performed spray attack?
- IP address from activity alert performed spray attack?
- Our user was hitted by spray attack came from IP address from activity alert?


Basically looking for way of investigation this.

Labels:
3,861 Views
0 Likes
2 Replies
Reply
2 Replies
Sami Lamppu

‎Jun 08 2021 12:28 AM

‎Jun 08 2021 12:28 AM

Re: Understanding alert Password Spray in MCAS with details

Hello @Rberlinski ,

 

If you are looking for a guide on how to investigate MCAS alerts and especially the "Multiple failed logins" type of alert this might be helpful:

Cloud App Security anomaly detection alerts investigation guide | Microsoft Docs

 

It provides: "general and practical information on each alert, to help with your investigation and remediation tasks"

 

 

0 Likes
Reply
Rberlinski

‎Jun 10 2021 01:23 AM

‎Jun 10 2021 01:23 AM

Re: Understanding alert Password Spray in MCAS with details

Thanks but this is far away what I expected. After short call with MS "password spray" alert more or less means that user used password which is flagged as common during this attack based on MS experience. My case is still open, I will let you know when grab some additional details.
0 Likes
Reply