AZT202 - Password Spraying#
An adversary may potentially gain access to AzureAD by guessing a common password for multiple users.
Resource
Azure Active Directory
Actions
N/A
Detections
Logs#
Data Source | Application | Resource | Log Provider |
---|---|---|---|
Azure Active Directory | Azure Portal | Windows Azure Service Management API | SignInLogs |
Azure Active Directory | Microsoft Azure PowerShell | Windows Azure Service Management API | SignInLogs |
Detection Screenshots#
Detection Notes#
The main difference between a successful and unsuccessful login is the 'Status' field, which will designate a "Success" or "Failure".
Queries#
Platform | Query |
---|---|
Log Analytics | SignInLogs | where UserId == 'IDGOESHERE' |
Azure Monitor Alert#
Additional Resources