Mar 21 2018 06:06 AM
Hello All,
New to the forums and to CAS.
We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.
I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)
I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App?
Any help with locating where these types of rules are would be great, ty.
Mar 29 2018 10:51 AM
Today we only support repeated activity by a single user not IP address. We will look into this.
Apr 02 2018 05:37 AM
I don't think it's supported yet. Microsoft is currently looking for this information based on user instead of IP. You might want to submit a user voice for this feature request.
@Tom Somerville wrote:
Hello All,
New to the forums and to CAS.
We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.
I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)
I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App?
Any help with locating where these types of rules are would be great, ty.
@Tom Somerville wrote:
Hello All,
New to the forums and to CAS.
We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.
I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)
I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App?
Any help with locating where these types of rules are would be great, ty.
Jun 14 2018 03:20 PM
I was looking for the same thing. Any news on this request?
Jun 15 2018 06:09 AM
Unfortunately, still no support for this. I am downloading the logs out of O365, and running them through a custom powershell script to look for this.
@Pernille-Eskebo, any update on when you will update alert policies?
Apr 26 2023 03:56 AM