LoFP
/
t1110
t1110
Title
Tags
a host failing to authenticate with multiple disabled domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems missconfigured systems.
t1110
T1110.003
endpoint
splunk
a host failing to authenticate with multiple invalid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, multi-user systems and missconfigured systems.
t1110
T1110.003
endpoint
splunk
a host failing to authenticate with multiple valid domain users is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems. if this detection triggers on a host other than a domain controller, the behavior could represent a password spraying attack against the host's local accounts.
t1110
T1110.003
endpoint
splunk
a host failing to authenticate with multiple valid users against a remote host is not a common behavior for legitimate systems. possible false positive scenarios include but are not limited to vulnerability scanners, remote administration tools, missconfigyred systems, etc.
t1110
T1110.003
endpoint
splunk
a misconfigured service account can trigger this alert. a password change on an account used by an email client can trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
t1110
ml
elastic
a process failing to authenticate with multiple users is not a common behavior for legitimate user sessions. possible false positive scenarios include but are not limited to vulnerability scanners and missconfigured systems.
t1110
T1110.003
endpoint
splunk
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
t1110
T1110.003
T1110.004
t1586
t1586.003
okta tenant
o365 tenant
splunk
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
t1110
T1110.003
T1110.004
t1586
t1586.003
azure active directory
splunk
a source user failing attempting to authenticate multiple users on a host is not a common behavior for regular systems. some applications, however, may exhibit this behavior in which case sets of users hosts can be added to an allow list. possible false positive scenarios include systems where several users connect to like mail servers, identity providers, remote desktop services, citrix, etc.
t1110
T1110.003
endpoint
splunk
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
t1110
t1110.001
t1201
aws account
azure tenant
splunk
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
t1110
t1110.001
T1110.003
T1535
t1586
azure tenant
aws account
splunk
account fallback reasons (after failed login with specific account)
t1110
t1110.001
windows
sigma
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
t1110
t1110.001
t1586
t1586.003
aws account
splunk
although unusual, users who have lost their passwords may trigger this detection. filter as needed.
t1110
t1110.001
o365 tenant
splunk
an ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
t1110
T1110.003
T1110.004
aws account
splunk
an okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.
t1110
okta
elastic
applications that deal with non-domain joined authentications. recommend adjusting the upperbound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
t1110
T1110.003
endpoint
splunk
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
t1110
okta
aws
o365
elastic
based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed totp code attempts in a short time-span.
t1110
azure
elastic
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
t1078
t1110
ml
elastic
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
t1110
T1110.003
t1586
t1586.003
azure active directory
splunk
domain controllers, authentication chokepoints, and vulnerability scanners.
t1110
T1110.003
account
splunk
false positives may be generated by normal provisioning workflows for user device registration.
t1078
t1098.005
t1110
t1556.006
t1621
identity
splunk
false positives may be present. tune okta and tune the analytic to ensure proper fidelity. modify risk score as needed. drop to anomaly until tuning is complete.
t1110
infrastructure
okta tenant
splunk
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
t1078
t1110
okta tenant
splunk
if this was approved by system administrator.
t1078
t1078.004
t1110
t1556
t1556.006
azure
sigma
it is common to see a spike of legitimate failed authentication events on monday mornings.
t1110
T1110.003
endpoint
splunk
known legacy accounts
t1078
t1078.004
t1110
azure
sigma
legitimate or intentional inbound connections from public ip addresses on the smb port.
t1078
t1110
t1133
windows
sigma
legitimate user wrong password attempts.
t1021
t1021.004
t1078
t1078.004
t1110
bitbucket
sigma
misconfigured systems
t1078
t1078.004
t1110
azure
sigma
multiple account lockouts may be also triggered by an application malfunction. filter as needed, and monitor for any unusual activity.
t1110
okta tenant
splunk
no known false positives for this detection. please review this alert
t1110
T1110.003
T1110.004
t1586
t1586.003
google cloud platform tenant
splunk
no known false postives for this detection. please review this alert
t1110
T1110.003
T1110.004
t1586
t1586.003
aws account
splunk
security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.
t1110
ml
elastic
service account misconfigured
t1078
t1078.004
t1110
azure
sigma
shared systems such as kiosks and conference room computers may be used by multiple users.
t1110
okta
elastic
software that uses the caret encased keywords pass and user in its command line
t1110
t1110.001
windows
sigma
systems with names equal to the spoofed ones used by the brute force tools
t1110
windows
sigma
the threshold for alert is above 10 attempts and this should reduce the number of false positives.
t1110
o365 tenant
splunk
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
t1110
T1110.003
T1110.004
t1586
t1586.003
azure tenant
o365 tenant
splunk
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
t1110
windows
sigma
tools that use similar command line flags and values
t1110
t1110.002
windows
sigma
unlikely. except due to misconfigurations
t1078
t1110
t1557
cisco
juniper
huawei
sigma
user has been put in acception group so they can use legacy authentication
t1078
t1078.004
t1110
azure
sigma
users actually login but miss-click into the deny button when mfa prompt.
t1078
t1078.004
t1110
t1621
azure
sigma
users may genuinely mistype or forget the password.
t1110
t1110.001
t1586
t1586.003
aws account
splunk
users may genuinely reset the rds password.
t1110
t1586
t1586.003
aws account
splunk
users may share an endpoint related to work or personal use in which separate okta accounts are used.
t1110
okta
elastic
vulnerability scanners
t1078
t1078.004
t1110
t1190
t1505
t1505.001
azure
sigma
vulnerability scanners or system administration tools may also trigger this detection. filter as needed.
t1003.002
t1021.002
t1087
t1110
T1110.004
t1135
endpoint
splunk
vulnerability scanners, print servers, and applications that deal with non-domain joined authentications. recommend adjusting the upperbound_unique eval for tailoring the correlation to your environment, running with a 24hr search window will smooth out some statistical noise.
t1110
T1110.003
endpoint
splunk
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
t1078
t1090
t1098
t1110
t1528
t1606
azure
sigma
LoFP
/
t1110