Managed Sentinel – Alert 017

Alert IDMS-A017
Alert NameMCAS Detect Leaked Credentials
DescriptionWhen cyber criminals compromise valid passwords of legitimate users, they often share those credentials. This is usually done by posting them publicly on the dark web or paste sites or by trading or selling the credentials on the black market.

Cloud App Security utilizes Microsoft’s Threat intelligence to match such credentials to the ones used inside your organization.
Severity LevelHigh
Threat IndicatorCompromised Credentials
MITRE ATT&CK TacticsCredential Access
Log sourcesMicrosoft Cloud App Security
Recommendations1. Immediately reset user credentials (change account password)
2. Notify user about action taken
3. Look for additional indicators of compromise related to the user identified in the alert using Azure Sentinel.