Azure
Password spray attack against Azure AD application
It would be great if the alert for this listed the accounts that are being attacked in the entities list. Right now the only thing that shows up is the IP address which isn't very helpful. I tried to add it using Entity mapping but UserDisplayName is part of a make_set.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Sorry for the delay on this and thanks for the suggestion. Normally in the password spray attack the same password is used on many accounts before moving on to another one and repeating the entire process again. Due to the number of possible accounts involved in a password spray it feels like it might not be optimal to map accounts to entity.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
Hi @anfisher1967 , thank you for flagging this. Apologies for the delayed response. If you still need assistance, please reply here within 5 business days.
Hi @anfisher1967, thank you for your suggestion regarding mapping accounts to entities in password spray attacks. As @aprakash13 suggested above, while this approach may work well in some cases, in the case of a password spray attack, it may not be the most optimal solution. This is because the attack involves trying the same password on many accounts before moving on to another one and repeating the process. With the number of accounts involved, mapping each account to an entity may not be the most efficient way to approach the problem. However, we appreciate your input and always welcome feedback on our processes.
Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond on it in the next 2 days. If we don't receive response, we will be closing this issue as per our standard procedures, thanks!
Since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.