Symantec VIP unusual spike in authentication failed events

This rule is part of a beta feature. To learn more, contact Support.
symantec-vip

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect unusual spikes in failed authentication events, indicating potential brute force attacks, credential stuffing, or misconfigurations that could lead to security vulnerabilities.

Strategy

Monitor failed authentication events within Symantec VIP and identify anomalies in the volume or frequency of failures. This helps detect potential malicious activity, user errors, or system misconfigurations requiring attention.

Triage and response

  1. Identify the client IP {{@network.client.ip}} and user name {{@usr.name}}. Analyze the frequency, timing, and sources of the failed number challenge attempts.
  2. Determine if the failures are due to user errors, system misconfigurations, or potential malicious activity.
  3. Block suspicious IPs, enforce rate-limiting, and assist users with generating valid security codes if necessary.
  4. Escalate confirmed threats to the security team and enhance monitoring for similar activity.
  5. Document event details, investigate root causes, and update detection thresholds or policies accordingly.