/
Authentication detections
Document toolboxDocument toolbox

Authentication detections

Owned by Juan Tomás Alonso Nieto (Deactivated)
Jul 07, 2022
1 min read

Authentication is one of the most used attack vectors from malicious users, and are the gate to your organization’s data, tools, and people. Not only do attackers use authentication but your everyday employees use it to access their own tools and data to conduct day-to-day to business.

The following detections help raise awareness with your Security Operations team and provide information for them to tackle all situations and issues.

The login attempt failed due to the machine user being unauthorized. This can indicate malicious intent.

Source table → auth.all

Detects when a single IP fails to log in to two or more accounts in ten minutes. The account number threshold and time threshold should be adjusted to suit organizational needs.

Source table → auth.all

Related content

IDS detections
IDS detections
Devo latest
More like this
Azure
Azure
Devo latest
More like this
Windows detections
Windows detections
Devo latest
More like this
Platform alert pack: Authentication
Platform alert pack: Authentication
Devo latest
More like this
Windows detections
Windows detections
Devo v7.10.0
More like this
Release 15 - Out-of-the-box alerts
Release 15 - Out-of-the-box alerts
Devo latest
More like this