Alert Pack: Brute Force (MITRE Att&ck Technique: T1110)
- Juan Tomás Alonso Nieto (Deactivated)
Purpose
This alert pack is vital to help to protect “the wall” of your systems, but it is also important to make sure that any misconfigured system accounts can work properly. These attacks are often repeated access attempts and are naturally noisy alerts when they do fire. This is because the attacker will not stop until they get through. This alert pack will help your SOC remediate whatever issue has caused the alert to fire.
The alerts included in the alert pack will also let you know of any issues or misconfigurations in your environment and provide an extra level of security for you and your business.
What is Brute Force?
Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.
Prerequisites
To use this alert pack, you must have the following data sources available on your domain:
cloud.office365learn morefirewall.paloalto.systemlearn moreids.bro.rdplearn morecloud.office365.management.azureactivedirectorylearn moreauth.alllearn morecloud.aws.cloudtraillearn morebox.all.winlearn more
Open alert pack
Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).
Use alert pack
The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.