Jul 04 2019 10:10 PM
Hi,
Just wondering if any one know how to dig out more information when the Leaked Credential alarm is raised. Trying to figure out the source of the alarm so we can do some more focused hunting, and managers\clients tend to like this information.
Regards
John L
Jul 08 2019 11:59 PM
Hi @jlouden
This alert comes from Azure AD Identity Protection that we now expose in the MCAS SecOps portal preview.
This is an offline detection described here: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-risk-events#leake...
Have a great day!
Jul 10 2019 04:35 PM
We got the alarm, but what is missing is where Microsoft Security spotted the cred's in the first place. While I'm not a massive fan of attribution, aka blaming state actor abc, I think having a process to understand where the alert came from will assist in a preventative and hunting activities.
Could I log a support case with Azure to find out where this information came from,?
Regards
JOhn
Jul 17 2019 03:01 AM
SolutionJul 17 2019 03:01 AM
Solution