
Summary
This detection rule targets unusual patterns of authentication failures in Azure Active Directory (Azure AD), particularly focusing on instances where a single source IP address attempts to authenticate multiple valid user accounts but fails. Such behavior is often indicative of a Password Spraying attack, where an adversary sequentially tries to access a large number of accounts using a few common passwords. The rule leverages Azure SignInLogs data and applies statistical analysis (3-sigma rule) to identify when the number of failed attempts exceeds normal behavior for a particular source IP. If exploited, this could lead to unauthorized access and privilege elevation within Azure AD environments, resulting in potential data breaches or the compromise of sensitive information.
Categories
- Cloud
- Identity Management
Data Sources
- Cloud Service
ATT&CK Techniques
- T1110
- T1586
- T1586.003
- T1110.003
- T1110.004
Created: 2024-11-14