Goal

Detects password spray attacks where a single source IP attempts to authenticate against multiple user accounts.

Strategy

This rule monitors authentication logs across multiple platforms including Okta, AWS CloudTrail, Auth0, Microsoft 365. Password spray attacks involve attempting authentication against many different user accounts with a small number of common passwords, allowing attackers to avoid account lockout policies while attempting to compromise credentials across an organization.

Triage & Response

• Examine the failed authentication attempts from {{@ocsf.src_endpoint.ip}} to verify the activity represents malicious behavior rather than legitimate user issues.
• Review the targeted usernames to determine if they follow organizational naming conventions or represent high-value accounts.
• Check if any successful authentication attempts occurred from the same source IP during the detection timeframe to identify potentially compromised accounts.
• Check if any other IP addresses are exhibiting the same pattern.
• Verify if the source IP address belongs to known organizational infrastructure, VPN endpoints, or external locations.
• Analyze the timing patterns and frequency of failed attempts to distinguish between automated tools and manual authentication attempts.