<  Back to rules search

Credential Stuffing Attack on Azure

azure

Classification:

attack

Tactic:

Technique:

Set up the azure integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect and identify the network IP address when multiple user accounts have login attempt activities recorded.

Strategy

Monitor Azure Active Directory and detect when any @evt.category is equal to SignInLogs and more than 1 of the @evt.outcome are equal to false and was initiated by the same network IP address.

Security Signal returns HIGH if`@evt.outcomehas value ofsuccess` after multiple failed logins were initiated by the same network IP address.

Triage and response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.