Symantec VIP unusual spike in authentication failed events

This rule is part of a beta feature. To learn more, contact Support.
symantec-vip

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detect unusual spikes in failed authentication events, indicating potential brute force attacks, credential stuffing, or misconfigurations that could lead to security vulnerabilities.

Strategy

Monitor failed authentication events within Symantec VIP and identify anomalies in the volume or frequency of failures. This helps detect potential malicious activity, user errors, or system misconfigurations requiring attention.

Triage and response

  1. Identify the client IP {{@network.client.ip}} and user name {{@usr.name}}. Analyze the frequency, timing, and sources of the failed number challenge attempts.
  2. Determine if the failures are due to user errors, system misconfigurations, or potential malicious activity.
  3. Block suspicious IPs, enforce rate-limiting, and assist users with generating valid security codes if necessary.
  4. Escalate confirmed threats to the security team and enhance monitoring for similar activity.
  5. Document event details, investigate root causes, and update detection thresholds or policies accordingly.