I've been looking into a situation with external failed login attempts on our system. The alerts are showing that these attempts involve invalid usernames or incorrect passwords, and we're seeing a significant number of account lockouts as a result. I'm a bit stuck on how to further investigate this issue. Can anyone share some advice on how to proceed?
2 Answers
Could you provide a bit more detail? When you say "external," do you mean through ADFS? Also, is MFA enabled on all accounts? That could help narrow things down.
Yes, MFA is enabled, but I'm unable to find the source IPs in the Entra ID login logs.
It seems like the login attempts are originating from an external IP range starting with 196.251, which appears to indicate a brute force attack leading to multiple account lockouts. Have you checked if it's hitting ADFS? If that's the case, consider enabling smart lockout; it can help mitigate brute force attacks. Here's a link with more info: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-smart-lockout-protection
I'm not sure what they're trying to log into, or how. It definitely sounds like ADFS might be involved.
The failed logins are coming from IP addresses starting with 196.251, and it's being reported by our PaloAlto firewall. The repeated failed attempts are locking accounts.