02-14-2023 01:54 PM
Occasionally, I see an alert with the description of "LDAP: User Login Brute Force Attempt". If I'm reading the tea leaves correctly, we're relatively confident that we're observing a failed logon for someone performing maintenance on a specific device.
But it would be nice to know what Cortex constitutes as a "brute force attempt". Is it three? Two? Ten? Five failed attempts in two minutes? I have yet to find documentation through granular google searches. Anyone else?
thanks!
02-14-2023 03:07 PM
Hi @Eric_Geater ,
thanks for writing us in Livecommunity
I would say that there is not an exact answer to your question. The alert triggering would depend on what our Analytics engine learnt while performing the baseline. So it might depend on the habits in an environment that might differ from the habits (or what is normal in another environment).
We consider a brute force an abnormal or excessive number of failed attemps in a short period of time and this variables would depend of what was learnt as "normal" in your organization. Which might be different to the values in other organization
I hope this helps, please feel free to click on like or mark this as a solution if this solved your doubt
Luis
02-22-2023 11:31 AM
Thanks for your response. So the answer could be either two, or two million... or somewhere in between. 🙃
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
