Password Spray Alert Policy

Copper Contributor

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 

6 Replies

Today we only support repeated activity by a single user not IP address.  We will look into this.

Thank you for clarification. 

 

I don't think it's supported yet. Microsoft is currently looking for this information based on user instead of IP.  You might want to submit a user voice for this feature request.

 

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/7498858-cloud-app-discov...


@Tom Somerville wrote:

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 



@Tom Somerville wrote:

Hello All,

New to the forums and to CAS.

We are an O365 customer, with licensing for CAS, and I am trying to generate an alert policy for a password spray attack.

 

I want the alert to trigger if >10 failed logon attempts occur within a 10 minute period, from a single IP address. (number of failed attempts and number of minutes a little flexible.)

I see if a singular event happens, or multiple events per user happen, which are great, but what about multiple events per IP, or per App? 

 

Any help with locating where these types of rules are would be great, ty.

 

 

 


 

I was looking for the same thing. Any news on this request? 

 Unfortunately, still no support for this. I am downloading the logs out of O365, and running them through a custom powershell script to look for this.

 

@Pernille-Eskebo, any update on when you will update alert policies?

Hi Tom Somerville,
Your long awaited requirement comes into action now. Microsoft is rolling out a new 'Password spray attack originating from single ISP' alert in Defender portal. This alert policy is enabled by default. Refer the below blog to know more on identifying crucial indicators and remediate actions.
https://blog.admindroid.com/password-spray-attack-detection-with-new-microsoft-365-defender-alert/