High count of failed logons by a user

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could also simply indicate a misconfigured service or device. References: IIS status code mapping - https://support.microsoft.com/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0 Win32 Status code mapping - https://msdn.microsoft.com/library/cc231199.aspx

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	`884c4957-70ea-4f57-80b9-1bca3890315b`
Severity	Medium
Kind	Scheduled
Tactics	CredentialAccess
Techniques	T1110
Required Connectors	AzureMonitor(IIS)
Source	View on GitHub

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules