Ivanti connect secure multiple failed login attempts followed by successful login

This rule is part of a beta feature. To learn more, contact Support.
ivanti-connect-secure

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the ivanti-connect-secure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Identify cases where a user experiences multiple failed login attempts followed by a successful login, potentially indicating a brute-force attack, credential stuffing, or unauthorized access.

Strategy

This rule monitors failed login attempts and detects cases where a user successfully logs in after several failures. This pattern may indicate that an attacker has successfully guessed or obtained valid credentials.

Triage and Response

  1. Identify the user {{@usr.name}} associated with the failed login attempts followed by a successful login.
  2. Determine if the login attempts are clustered within a short period or if they follow a gradual pattern, as this can help distinguish between brute-force and accidental lockouts.
  3. Investigate if there are any ongoing system issues or maintenance activities that could account for increased login failures.
  4. If suspicious behavior is detected, consider locking the affected accounts, notifying users, and requiring additional authentication steps.