Rules: Possible Credential Abuse
This signal logic is designed to catch repetitive attempts to call (and presumably attempt to auth via) login pages for drupal, wordpress, and jira.
| Detail | Value |
|---|---|
| Type | Threshold |
| Category | Credential Access |
| Apply Risk to Entities | device_ip, user_username, device_hostname, srcDevice_ip |
| Signal Name | Possible Credential Abuse |
| Summary Expression | Multiple logon attempts to login pages for Drupal, Wordpress, and Jira from IP: {{srcDevice_ip}} |
| Threshold Count | 50 |
| Threshold Window | 5m |
| Score/Severity | Static: 4 |
| Enabled by Default | True |
| Prototype | False |
| Tags | _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0003, _mitreAttackTactic:TA0004, _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0006, _mitreAttackTactic:TA0042, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1078.001, _mitreAttackTechnique:T1078.002, _mitreAttackTechnique:T1078.003, _mitreAttackTechnique:T1078.004, _mitreAttackTechnique:T1586, _mitreAttackTechnique:T1586.001, _mitreAttackTechnique:T1586.002 |
- Akamai - SIEM
- Amazon AWS - Application Load Balancer
- Amazon AWS - CloudFront
- Amazon AWS - Elastic Load Balancer
- Amazon AWS - Web Application Firewall (WAF)
- Bro - Bro
- CheckPoint - URL Filtering
- Cisco Systems - Ironport
- Cisco Systems - Meraki
- Cloudflare - Logpush
- Fortinet - Fortigate
- Google - Google Cloud Platform
- Imperva - Imperva Incapsula
- McAfee - Web Gateway
- Microsoft - Azure
- Squid - Squid Proxy
- Zscaler - Firewall
- Zscaler - Nanolog Streaming Service
| Origin | Field |
|---|---|
| Normalized Schema | device_hostname |
| Normalized Schema | device_ip |
| Normalized Schema | dstDevice_ip |
| Normalized Schema | http_method |
| Normalized Schema | http_url_path |
| Normalized Schema | srcDevice_ip |
| Normalized Schema | user_username |