Rules: Brute Force Attempt
Detects multiple failed login attempts for the same username over a 24 hour timeframe. This is designed to catch both slow and quick brute force type attacks. The threshold and time frame can be adjusted based on the customer's environment.
| Detail | Value |
|---|---|
| Type | Threshold |
| Category | Initial Access |
| Apply Risk to Entities | srcDevice_hostname, srcDevice_ip, user_username |
| Signal Name | Brute Force Attempt |
| Summary Expression | Multiple failed login attempts for user: {{user_username}} |
| Threshold Count | 10 |
| Threshold Window | 24h |
| Score/Severity | Static: 4 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1110, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1586, _mitreAttackTactic:TA0008, _mitreAttackTechnique:T1110.002, _mitreAttackTechnique:T1110.001 |
- Amazon AWS - CloudTrail
- Cisco Systems - ASA
- Cisco Systems - Identity Services Engine
- Cisco Systems - Router and Switch IOS
- Citrix - ADC
- CrowdStrike - Falcon
- Duo Security - Multi-Factor Authentication (MFA)
- Fortinet - Fortigate
- Google - G Suite
- HP - Aruba ClearPass
- JFrog - Artifactory
- JumpCloud - Directory Insights
- JumpCloud - IdP
- Linux - Linux OS Syslog
- Linux - Systemd Journal
- ManageEngine - adauditplus
- Microsoft - Azure
- Microsoft - Graph AD Reporting API
- Microsoft - Office 365
- Microsoft - Windows
- Okta - Single Sign-On
- OneLogin - OneLogin Single Sign-On
- Palo Alto Networks - GlobalProtect
- Palo Alto Networks - Next Generation Firewall
- PingIdentity - PingFederate
- RSA - SecurID Runtime
- RSA - SecurID SinglePoint
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Direct from Record | fields['resultType'] |
| Normalized Schema | listMatches |
| Normalized Schema | metadata_deviceEventId |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | normalizedAction |
| Normalized Schema | objectType |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | success |
| Normalized Schema | user_username |