Credential Stuffing Attack on Azure

Set up the azure integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect and identify the network IP address or user agent when multiple user accounts have login attempt activities recorded.

Strategy

Monitor Azure Active Directory and detect when any @evt.category is equal to SignInLogs and at least 5 of the @evt.outcome are equal to false by the same network IP address or user agent.

Security Signal returns MEDIUM if`@evt.outcomehas value ofsuccess` after 5 multiple failed logins by the same network IP address or user agent.

Triage and response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.

Changelog

  • 14 June 2022 - Updated triggering cases to align with other credential stuffing rules. Also updated other backend options to reduce noise levels.
  • 26 October 2022 - Updated query.
PREVIEWING: mervebolat/span-id-preprocessing