Keeper brute force attempt

This rule is part of a beta feature. To learn more, contact Support.
keeper

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Goal

Detect a high number of failed login attempts for the user: {{@usr.email}} followed by a successful login.

Strategy

Monitor Keeper logs for a significant rise in failed login attempts along with successful logins for a user. This may indicate potential unauthorized access attempts or brute force attacks.

Triage and response

  • Investigate the source of the failed login attempts to determine whether they are legitimate users experiencing issues or potential attackers.
  • Analyze the patterns of failed login attempts for the user: {{@usr.email}}, including IP addresses and timestamps, to identify any common characteristics.
  • Implement additional security measures, such as account lockouts or deactivations, multi-factor authentication enforcement, and notifications to users about suspicious login attempts.