LoFP LoFP / t1110

t1110

TitleTags
a misconfigured service account can trigger this alert. a password change on an account used by an email client can trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
account fallback reasons (after failed login with specific account)
an okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.
automated processes that attempt to authenticate using expired credentials and unbounded retries may lead to false positives.
based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed totp code attempts in a short time-span.
blocked connection events are generated via an access control policy on the firewall management console. hence no false positives should be present.
build servers and ci systems can sometimes trigger this alert. security test cycles that include brute force or password spraying activities may trigger this alert.
false positives may be generated by normal provisioning workflows for user device registration.
false positives will be limited to the number of events generated by the analytics tied to the stories. analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
if this was approved by system administrator.
ip or users where the usage of multiple operating systems is expected, filter accordingly.
known legacy accounts
legitimate or intentional inbound connections from public ip addresses on the rdp port.
legitimate user wrong password attempts.
misconfigured applications or automated scripts may generate repeated blocked traffic, particularly if attempting to reach decommissioned or restricted resources. vulnerability scanners or penetration testing tools running in authorized environments may trigger this alert. tuning may be required to exclude known internal tools or scanner ips from detection.
misconfigured systems
multiple account lockouts may be also triggered by an application malfunction. filter as needed, and monitor for any unusual activity.
security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.
service account misconfigured
shared systems such as kiosks and conference room computers may be used by multiple users.
software that uses the caret encased keywords pass and user in its command line
systems with names equal to the spoofed ones used by the brute force tools
the threshold for alert is above 10 attempts and this should reduce the number of false positives.
this event could stem from users changing an account's password that's used to authenticate via a job or an automated process. investigate the source of such events and mitigate them
tools that use similar command line flags and values
unlikely. except due to misconfigurations
user has been put in acception group so they can use legacy authentication
users actually login but miss-click into the deny button when mfa prompt.
users may genuinely reset the rds password.
users may share an endpoint related to work or personal use in which separate okta accounts are used.
vulnerability scanners
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.