Symantec VIP unusual spike in authentication failed events

This rule is part of a beta feature. To learn more, contact Support.
symantec-vip

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect unusual spikes in failed authentication events, indicating potential brute force attacks, credential stuffing, or misconfigurations that could lead to security vulnerabilities.

Strategy

Monitor failed authentication events within Symantec VIP and identify anomalies in the volume or frequency of failures. This helps detect potential malicious activity, user errors, or system misconfigurations requiring attention.

Triage and response

  1. Identify the client IP {{@network.client.ip}} and user name {{@usr.name}}. Analyze the frequency, timing, and sources of the failed number challenge attempts.
  2. Determine if the failures are due to user errors, system misconfigurations, or potential malicious activity.
  3. Block suspicious IPs, enforce rate-limiting, and assist users with generating valid security codes if necessary.
  4. Escalate confirmed threats to the security team and enhance monitoring for similar activity.
  5. Document event details, investigate root causes, and update detection thresholds or policies accordingly.