IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

Password spraying attack triggers many offenses

1. Password spraying attack triggers many offenses

Like
Jan Vegar Veiseth
Posted Fri April 03, 2020 09:35 AM

Reply
Hi, I got an issue with password spraying attack where log source type is Microsoft Office 365 and Protocol Type is Office 365 REST AP. QRadar creates 1 offense for every event of 'User Login Failure'. The attached image is a snapshot from the Offense tab. Usernames is left out- examples 'invoice@xx.com, account@xx.com, payment@xx.com'. The attack lasted 10 minutes.

Rule:

Has anyone experienced this and is this related to the log source type or occurs because source IPs is IPv6? How can I tweak the rule so these events will trigger just 1 offense? Any updates or App content that will fix this issue?

QRadar version v7.3.2 Build 20190705120852. IBM QRadar Content Extension for Office 365. IBM QRadar Content Extension for Monitoring Microsoft Azure

------------------------------
Jan Vegar
------------------------------

IBM QRadar

Password spraying attack triggers many offenses

1. Password spraying attack triggers many offenses

Additional
Resources

Office

Quick Links

IBM QRadar

Password spraying attack triggers many offenses

1. Password spraying attack triggers many offenses

Related Content

Microsoft Office 365 Dashboard using QRadar Pulse App

QRadar Best Practices – Microsoft Azure and Office 365

Detect suspicious activity in your AWS, Azure, VMware and O365 environments

Anatomy of a ransomware attack

Did you think of monitoring QRadar ?

Additional Resources

Office

Quick Links

Additional
Resources