Rules: Password Attack
Detects multiple failed login attempts from a single source with unique usernames over a 24 hour timeframe. This is designed to catch both slow and quick password spray type attacks. The threshold and time frame can be adjusted based on the customer's environment.
| Detail | Value |
|---|---|
| Type | Threshold |
| Category | Initial Access |
| Apply Risk to Entities | srcDevice_hostname, srcDevice_ip |
| Signal Name | Password Attack |
| Summary Expression | Password attack from IP: {{srcDevice_ip}} |
| Threshold Count | 10 |
| Threshold Window | 24h |
| Score/Severity | Static: 4 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1110, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1078.001, _mitreAttackTechnique:T1078.002, _mitreAttackTechnique:T1078.003, _mitreAttackTechnique:T1078.004, _mitreAttackTechnique:T1586, _mitreAttackTechnique:T1586.001, _mitreAttackTechnique:T1586.002, _mitreAttackTactic:TA0008, _mitreAttackTechnique:T1110.003, _mitreAttackTechnique:T1110.002, _mitreAttackTechnique:T1110.001 |
- Amazon AWS - CloudTrail
- Cisco Systems - ASA
- Citrix - ADC
- Duo Security - Multi-Factor Authentication (MFA)
- Fortinet - Fortigate
- Google - G Suite
- HP - Aruba ClearPass
- JFrog - Artifactory
- JumpCloud - IdP
- Linux - Linux OS Syslog
- Linux - Systemd Journal
- ManageEngine - adauditplus
- Microsoft - Azure
- Microsoft - Graph AD Reporting API
- Microsoft - Office 365
- Microsoft - Windows
- Okta - Single Sign-On
- OneLogin - OneLogin Single Sign-On
- Palo Alto Networks - GlobalProtect
- Palo Alto Networks - Next Generation Firewall
- RSA - SecurID Runtime
- RSA - SecurID SinglePoint
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Direct from Record | fields['resultType'] |
| Normalized Schema | listMatches |
| Normalized Schema | metadata_deviceEventId |
| Normalized Schema | metadata_product |
| Normalized Schema | metadata_vendor |
| Normalized Schema | normalizedAction |
| Normalized Schema | objectType |
| Normalized Schema | srcDevice_hostname |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | success |
| Normalized Schema | user_username |