Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
Identifies failed logon attempts from unknown users in Syslog authpriv logs. The unknown user means the account that tried to log in isn't provisioned on the machine. A few hits could indicate someone attempting to access a machine they aren't authorized to access. If there are many of hits, especially from outside your network, it could indicate a brute force attack. Default threshold for logon attempts is 15.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Syslog |
| ID | e7ec9fa6-e7f7-41ed-a34b-b956837a3ee6 |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | CredentialAccess |
| Techniques | T1110 |
| Required Connectors | Syslog, SyslogAma |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
Syslog |
Facility == "authpriv"SyslogMessage has "authentication failure"SyslogMessage has "uid=0"SyslogMessage has "user unknown" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊