Skip to content

AZT202 - Password Spraying#

An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.

Resource

Azure Active Directory

Actions

N/A

Examples

Detections

Logs#

Data Source Application Resource Log Provider
Azure Active Directory Azure Portal Windows Azure Service Management API SignInLogs
Azure Active Directory Microsoft Azure PowerShell Windows Azure Service Management API SignInLogs

Detection Screenshots#

Detection Notes#

The main difference between a successful and unsuccessful login is the 'Status' field, which will designate a "Success" or "Failure".

Queries#

Platform Query
Log Analytics SignInLogs | where UserId == 'IDGOESHERE'

Azure Monitor Alert#

Deploy to Azure