IP Rotation Pattern in SSO Spray

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-01-14

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AzureAD OR Azure SignIn Log OR Duo OR Okta OR OneLogin OR PingOne
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Credential Access (TA0006) Resource Development (TA0042)
ATT&CK Technique	Brute Force: Password Spraying (T1110.003) Brute Force: Password Guessing (T1110.001) Compromise Accounts (T1586)
Severity	Informational

Description

A high volume of SSO authentication attempts was observed in a short time window.
This behavior may indicate a password spray attack targeting multiple accounts.

Attacker's Goals

An attacker may be attempting to compromise user accounts through unauthorized access attempts.

Investigative actions

Determine if the activity was performed by a legitimate user.
Check for any successful logins that occurred following a series of failed attempts.
Investigate the AS organization and evaluate the ASN's reputation for malicious activity.
Review historical login behavior from the same IP addresses or ASN.
Validate whether MFA was triggered or bypassed during the authentication attempts.

Variations

Potential Targeted SSO Password Spray Activity Detected

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A high volume of SSO authentication attempts was observed in a short time window.
This behavior may indicate a password spray attack targeting multiple accounts.

Attacker's Goals

An attacker may be attempting to compromise user accounts through unauthorized access attempts.

Investigative actions

Determine if the activity was performed by a legitimate user.
Check for any successful logins that occurred following a series of failed attempts.
Investigate the AS organization and evaluate the ASN's reputation for malicious activity.
Review historical login behavior from the same IP addresses or ASN.
Validate whether MFA was triggered or bypassed during the authentication attempts.

Suspicious SSO Login Attempts from Multiple IPs

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A high volume of SSO authentication attempts was observed in a short time window.
This behavior may indicate a password spray attack targeting multiple accounts.

Attacker's Goals

An attacker may be attempting to compromise user accounts through unauthorized access attempts.

Investigative actions

Determine if the activity was performed by a legitimate user.
Check for any successful logins that occurred following a series of failed attempts.
Investigate the AS organization and evaluate the ASN's reputation for malicious activity.
Review historical login behavior from the same IP addresses or ASN.
Validate whether MFA was triggered or bypassed during the authentication attempts.