Symantec VIP multiple numbers challenge failed events

This rule is part of a beta feature. To learn more, contact Support.
symantec-vip

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect multiple failed number challenge events in Symantec VIP, which could indicate unauthorized access attempts, user errors, or potential misconfigurations in authentication policies.

Strategy

Monitor repeated failures in the number challenge mechanism, which requires users to enter a unique two-digit number from the login screen into the VIP Access Push notification. Identify patterns of misuse, user confusion, or security threats and take prompt action to secure affected accounts.

Triage and response

  1. Identify the client IP {{@network.client.ip}}, analyze the frequency, timing, and sources of the failed number challenge attempts.
  2. Determine if the failures stem from user errors (such as incorrect input), device synchronization issues, or malicious activity like brute force attacks.
  3. For suspicious activity, block the source IPs, lock the account, and notify the user to reset their credentials.
  4. Assist users in resolving legitimate issues, such as troubleshooting devices or clarifying number challenge instructions.
  5. Document the incident, escalate confirmed threats, and refine detection rules or policies to enhance security.
PREVIEWING: deforest/automation-pipelines-ga