---
title: Symantec VIP unusual spike in authentication failed events
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Symantec VIP unusual spike in
  authentication failed events
---

# Symantec VIP unusual spike in authentication failed events

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1110-brute-force](https://attack.mitre.org/techniques/T1110) 
## Goal{% #goal %}

Detect unusual spikes in failed authentication events, indicating potential brute force attacks, credential stuffing, or misconfigurations that could lead to security vulnerabilities.

## Strategy{% #strategy %}

Monitor failed authentication events within Symantec VIP and identify anomalies in the volume or frequency of failures. This helps detect potential malicious activity, user errors, or system misconfigurations requiring attention.

## Triage and response{% #triage-and-response %}

1. Identify the client IP `{{@network.client.ip}}` and user name `{{@usr.name}}`. Analyze the frequency, timing, and sources of the failed number challenge attempts.
1. Determine if the failures are due to user errors, system misconfigurations, or potential malicious activity.
1. Block suspicious IPs, enforce rate-limiting, and assist users with generating valid security codes if necessary.
1. Escalate confirmed threats to the security team and enhance monitoring for similar activity.
1. Document event details, investigate root causes, and update detection thresholds or policies accordingly.