Rules: Possible Credential Abuse
This signal logic is designed to catch repetitive attempts to call (and presumably attempt to auth via) login pages for drupal, wordpress, and jira.
Detail | Value |
---|---|
Type | Threshold |
Category | Credential Access |
Apply Risk to Entities | device_ip, user_username, device_hostname, srcDevice_ip |
Signal Name | Possible Credential Abuse |
Summary Expression | Multiple logon attempts to login pages for Drupal, Wordpress, and Jira from IP: {{srcDevice_ip}} |
Threshold Count | 50 |
Threshold Window | 5m |
Score/Severity | Static: 4 |
Enabled by Default | True |
Prototype | False |
Tags | _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0003, _mitreAttackTactic:TA0004, _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0006, _mitreAttackTactic:TA0042, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1078.001, _mitreAttackTechnique:T1078.002, _mitreAttackTechnique:T1078.003, _mitreAttackTechnique:T1078.004, _mitreAttackTechnique:T1586, _mitreAttackTechnique:T1586.001, _mitreAttackTechnique:T1586.002 |
- Akamai - SIEM
- Amazon AWS - Application Load Balancer
- Amazon AWS - CloudFront
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- CheckPoint - URL Filtering
- Cisco Systems - Ironport
- Cisco Systems - Meraki
- Cloudflare - Logpush
- Fortinet - Fortigate
- Google - Google Cloud Platform
- Imperva - Imperva Incapsula
- McAfee - Web Gateway
- Microsoft - Azure
- Squid - Squid Proxy
- Zscaler - Firewall
- Zscaler - Nanolog Streaming Service
Origin | Field |
---|---|
Normalized Schema | device_hostname |
Normalized Schema | device_ip |
Normalized Schema | dstDevice_ip |
Normalized Schema | http_method |
Normalized Schema | http_url_path |
Normalized Schema | srcDevice_ip |
Normalized Schema | user_username |