Credential Stuffing Attack on Azure
Incident Management is now generally available! Incident Management is now generally available!
<  Back to rules search

Credential Stuffing Attack on Azure

azure

Classification:

attack

Tactic:

Technique:

Set up the azure integration.

Overview

Goal

Detect and identify the network IP address when multiple user accounts have login attempt activities recorded.

Strategy

Monitor Azure Active Directory and detect when any @evt.category is equal to SignInLogs and more than 1 of the @evt.outcome are equal to false and was initiated by the same network IP address.

Security Signal returns HIGH if`@evt.outcomehas value ofsuccess` after multiple failed logins were initiated by the same network IP address.

Triage & Response

  1. Inspect the log and determine if this was a valid login attempt.
  2. If the user was compromised, rotate user credentials.