May 26 2021 11:11 AM
Hello, we are facing alert in our MCAS "Risky sign-in: password spray". There is one activity associated with that after clicking on this alert:
Description: Failed log on (Failure message: Strong authentication is required.)
Type: (in app): Login:login
User: (our user)
IP address: some remote IP
I have readed about this here: https://techcommunity.microsoft.com/t5/azure-active-directory-identity/advancing-password-spray-atta...
But my question is what it means in details?
- Our user from activity performed spray attack?
- IP address from activity alert performed spray attack?
- Our user was hitted by spray attack came from IP address from activity alert?
Basically looking for way of investigation this.
Jun 08 2021 12:28 AM
Hello @Rberlinski ,
If you are looking for a guide on how to investigate MCAS alerts and especially the "Multiple failed logins" type of alert this might be helpful:
Cloud App Security anomaly detection alerts investigation guide | Microsoft Docs
It provides: "general and practical information on each alert, to help with your investigation and remediation tasks"
Jun 10 2021 01:23 AM