Investigating "Password Spraying" findings

If the source device has a vulnerability scanner installed, this activity is likely related to the vulnerability management software performing a scan.

Review the vulnerability management software’s scan history to see if the software initiated a scan around the time the finding was generated.

Consider creating a detection filter for the client IP address.

If the source device is a firewall, the finding was likely caused by an external actor failing to log in to the firewall.

Investigating the firewall logs is necessary to identify the source of the login failures. The most popular occurrence is login failures from outside of your expected location, such as from outside the United States.

Consider implementing geo-IP filtering to reduce the login failures. You can block the source of the logins, although this method will likely not reduce noise in the long term.

This finding often occurs during penetration tests. If your organization is undergoing a penetration test, confirm with the penetration testing team if the source device is being used for the test.

Depending on the length of the penetration test, resolving these findings without implementing a detection filter is recommended to maintain detection visibility if the device being used by the penetration testing team is a standard-use device that will be returned to normal use after the test. However, a temporary detection filter can be implemented and removed after the test if frequent findings are being generated and causing too much noise for your team.