Symantec VIP unusual spike in authentication failed events

This rule is part of a beta feature. To learn more, contact Support.
symantec-vip

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect unusual spikes in failed authentication events, indicating potential brute force attacks, credential stuffing, or misconfigurations that could lead to security vulnerabilities.

Strategy

Monitor failed authentication events within Symantec VIP and identify anomalies in the volume or frequency of failures. This helps detect potential malicious activity, user errors, or system misconfigurations requiring attention.

Triage and response

  1. Identify the client IP {{@network.client.ip}} and user name {{@usr.name}}. Analyze the frequency, timing, and sources of the failed number challenge attempts.
  2. Determine if the failures are due to user errors, system misconfigurations, or potential malicious activity.
  3. Block suspicious IPs, enforce rate-limiting, and assist users with generating valid security codes if necessary.
  4. Escalate confirmed threats to the security team and enhance monitoring for similar activity.
  5. Document event details, investigate root causes, and update detection thresholds or policies accordingly.