Symantec VIP multiple mobile push request denied by the user followed by successful login

This rule is part of a beta feature. To learn more, contact Support.
symantec-vip

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Goal

Detect multiple denied mobile push requests followed by successful login, which could indicate unauthorized access attempts, phishing attacks, or user confusion.

Strategy

Monitor and identify unusual patterns of denied mobile push requests in Symantec VIP. This helps detect potential security threats, such as adversary-in-the-middle attacks or unintentional user errors, and allows timely response.

Triage and response

  1. Identify the client IP {{@network.client.ip}} and user name {{@usr.name}}. Analyze the frequency, timing, and sources of the failed number challenge attempts.
  2. Determine if the denials are due to user errors or indicate unauthorized access attempts, such as phishing or adversary-in-the-middle attacks.
  3. For suspected malicious activity, block source IPs or devices, notify the user, and prompt them to reset credentials.
  4. If user error is identified, provide guidance on proper mobile push authentication practices.
  5. Document the incident, escalate confirmed threats, and update detection rules to enhance monitoring and minimize false positives.