0

While monitoring SIEM alerts, I saw that there was more than 200 failed logon for a user to several hosts in the domain. Obviously, it was triggered as a brute-force attempt.

Assuming it was not an attack. What are the non-malicious root causes that could trigger such alerts? Considering that a user will not try 200 wrong password manually.

Onyx
  • 21
  • 1
  • 200 over what time duration? – user10216038 Feb 16 '21 at 04:07
  • @user10216038 Half an hour. – Onyx Feb 16 '21 at 10:12
  • That's around 9 seconds per attempt. It's within the range of manual attempt possibilities, but would be pretty tenacious. Perhaps a problem with a **Single Sign-On** system making background re-tries? – user10216038 Feb 16 '21 at 17:36
  • @user10216038 Thanks for taking the time to answer. SSO is one of the things I am trying understand and find more about. If the password was changed by the user at some point, why that system didn’t sync? – Onyx Feb 16 '21 at 19:27
  • Are you sure it’s a human user and not a service account? Or maybe a user account that is used for automation and the user is no longer active or has the correct permissions? It’s highly unlikely that a real user account would be compromised and then turn around and fail a login 200 times. – Tyler Gallenbeck Feb 27 '21 at 06:44

0 Answers0