I'm currently looking into a series of external failed login attempts flagged by our Sentinel alerts. The reports indicate that the reasons for these failures include invalid usernames or incorrect passwords, and I've noticed a significant number of account lockouts as a result. I'm unsure about the next steps in addressing this issue. Any advice on how to proceed would be appreciated!
3 Answers
Yes, MFA is enabled on those accounts, but the source IPs are not showing up in the Entra ID login logs. It's a tricky situation!
Can you give more details? When you say 'external', are you talking about ADFS? Also, do all accounts have MFA enabled?
It sounds like the failed logins are coming from an IP range that starts with 196.251, as logged by your Palo Alto firewall. It looks like it could be a brute force attack, which might explain the multiple account lockouts. Have you figured out what system they're trying to access? Also, if you're using ADFS, enabling smart lockout might help reduce the lockouts further.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures