Account Attacks and IAM Monitoring

Identity Is the New Perimeter

Many incidents begin with a credential. A valid username and password make attacker activity look like normal access unless monitoring weighs context: source IP, time, device posture, token, geolocation, MFA behavior, and privilege changes. SY0-701 expects you to distinguish the attack patterns by their log signature and to choose the containment action that stops an active takeover.

Common Account Attacks

Account lockout is the standard brute-force defense. A common policy locks an account after roughly 5 failed attempts within a short window, which is precisely why spraying limits itself to one or two passwords per account, staying under the threshold. Knowing that trade-off explains why spraying is the answer when failures spread across users rather than concentrate on one.

Realistic Log Snippets

Password spraying (one IP, one password, many users):

2026-06-14T09:10:02Z auth result=fail user=amiller source_ip=203.0.113.44 reason=bad_password
2026-06-14T09:10:03Z auth result=fail user=bchen source_ip=203.0.113.44 reason=bad_password
2026-06-14T09:10:04Z auth result=fail user=ckhan source_ip=203.0.113.44 reason=bad_password
2026-06-14T09:10:05Z auth result=fail user=dross source_ip=203.0.113.44 reason=bad_password

MFA fatigue (repeated denials then approval):

2026-06-14T22:41:11Z mfa user=jprice method=push result=denied source_ip=198.51.100.88
2026-06-14T22:41:50Z mfa user=jprice method=push result=denied source_ip=198.51.100.88
2026-06-14T22:42:31Z mfa user=jprice method=push result=denied source_ip=198.51.100.88
2026-06-14T22:43:04Z mfa user=jprice method=push result=approved source_ip=198.51.100.88

Privilege escalation right after the suspicious login:

2026-06-14T22:45:19Z directory action=add_member actor=jprice target_group=Cloud-Admins target_user=jprice result=success

The last event changes everything. A suspicious login is notable; a suspicious login followed by self-added admin rights is an urgent active takeover.

Monitoring Signals

Good IAM monitoring fuses authentication logs, MFA logs, directory audit logs, endpoint posture, cloud control-plane activity, and PAM events. High-value detections include:

• Many failed logins across many users from one IP (spraying).
• A success immediately after a burst of failures (stuffing/brute force).
• New privileged group membership.
• Impossible travel or an unusual country for the user.
• Sign-in from an unmanaged or non-compliant device.
• An MFA method reset followed by a successful login.
• A service account logging in from an unfamiliar host.
• An OAuth consent grant to a suspicious application.

Response Walkthrough

An analyst sees repeated MFA prompts for jprice, then a success from an unfamiliar source, then a self-add to Cloud-Admins. Correct containment order: revoke active sessions and refresh tokens, disable or force-reset the account per policy, re-enroll/verify MFA methods, inspect and roll back recent privilege changes, and review every action taken after the success. User-awareness training is valuable long term but does not contain the live threat.

Common Traps

• Treating a successful MFA event as automatically safe (fatigue/token theft defeat it).
• Watching failed logins while ignoring privilege changes after a success.
• Resetting the password but leaving sessions and refresh tokens valid.
• Ignoring service accounts because they have no mailbox.
• Blocking one IP without checking whether the credentials were reused elsewhere.

Hardening That Stops These Attacks

Knowing the attack is half the exam; knowing the matching control is the other half. Phishing-resistant MFA such as FIDO2 security keys or passkeys defeats both phishing and MFA fatigue because there is no push to spam and no code to relay. Number matching on push prompts blunts fatigue by forcing the user to type a code shown on the login screen, so blind approvals fail. Account lockout and exponential backoff slow brute force, while a CAPTCHA or device-fingerprint challenge slows automated stuffing.

Defending against credential stuffing specifically means breaking the reuse chain: enforce breached-password screening, require unique passwords, and deploy a password manager-friendly policy. Because stuffing relies on passwords leaked elsewhere, MFA is the strongest single mitigation, but token-binding and conditional access add depth.

UEBA and Risk-Based Authentication

User and entity behavior analytics (UEBA) builds a baseline for each identity, then flags deviations: a finance clerk suddenly running PowerShell against a domain controller, or a login at 3 a.m. from a new country. Risk-based (adaptive) authentication turns those scores into action, stepping up to MFA or blocking outright when risk is high and staying frictionless when risk is low. On the exam, when a stem describes "unusual but technically valid" activity, the behavioral-analytics answer beats a static rule.

Triage Priority Table

The escalation logic mirrors how a SIEM correlation rule should be tuned, and it is exactly the prioritization SY0-701 scenario questions reward.