none
Detecting Bruteforce Attacks RRS feed

  • Question

  • Greetings,

    Does Security Center create alerts for bruteforce attacks on the Azure Portal or any other application that uses the Azure AD for authentication?

    If not, what is the best way to detect such attacks?

    Thank you.

    Thursday, August 1, 2019 9:06 AM

Answers

  • You will be notified about logins from unusal locations, anonymous IP's etc in Azure AD Identity Protection. This will not be reported in Security Center. 

    Azure AD has Smart Lockout enabled by default which prevents bruteforce attacks if you are a managed domain. 

    If you are federated, then you need to configure lockouts at the federation provider to prevent this from happening. 

    Ref: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

    https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview

    Hope this helps.

    Friday, August 2, 2019 5:09 AM
    Moderator

All replies

  • Greetings,

    as far as i can tell you should be notified in the Security Center.

    See this Blogpost for more information:

    https://azure.microsoft.com/de-de/blog/how-azure-security-center-detects-ddos-attack-using-cyber-threat-intelligence/

    Thursday, August 1, 2019 10:42 AM
  • Thank you for your reply Andreas.

    Security Center notifies about Bruteforce attack against Virtual Machines. That what the blogpost indicates and what I understood from documentation. 

    My concern is about bruteforce against any application that uses Azure AD for authentication. For example, a CMS application.

    Any ideas?

    Thanks. 

    Thursday, August 1, 2019 12:14 PM
  • Greetings,


    I think what you are looking for is the Azure AD Identity Protection. 

    I'm really sorry but event after taking my team reading through the documentation i can't promise you for sure that you will get a notification about brute force attacks on Azure AD Accounts, although i'm pretty sure.

    Here are some links i found useful.

    https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-Identity-Protection-is-in-public-preview-Whoop-whoop/ba-p/244242

    https://docs.microsoft.com/de-de/azure/active-directory/reports-monitoring/concept-sign-ins


    I guess you will have to wait for an answer from a Microsoft Member.

    My sincerest apologies


    Thursday, August 1, 2019 12:38 PM
  • Thank you very much Andreas. And no need to be sorry. You were very kind.

    Cheers.

    Thursday, August 1, 2019 1:33 PM
  • Btw, what about if someone logged in to the Azure Portal from unusual location? Would that trigger an alert in Security Center?

    Thanks.

    Thursday, August 1, 2019 2:40 PM
  • You will be notified about logins from unusal locations, anonymous IP's etc in Azure AD Identity Protection. This will not be reported in Security Center. 

    Azure AD has Smart Lockout enabled by default which prevents bruteforce attacks if you are a managed domain. 

    If you are federated, then you need to configure lockouts at the federation provider to prevent this from happening. 

    Ref: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

    https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview

    Hope this helps.

    Friday, August 2, 2019 5:09 AM
    Moderator
  • Thank you for your reply.

    One more question: Do the Azure AD Sign-in Logs show only successful logons or also failed logons?

    Cheers.


    Monday, August 5, 2019 9:35 AM
  • Azure AD Sign-logs include failed logons as well. Failed logons of federated domains will not be included. 

    Ref: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

    Note: Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, August 5, 2019 1:03 PM
    Moderator