Use Case: Brute Force Attack

June 14, 2023 · View on GitHub

Use Case: Brute Force Attack

Vendor: Accellion

Product	Event Types	MITRE ATT&CK® TTP	Content
Kiteworks	account-lockout account-password-change account-password-reset account-unlocked app-activity app-login dlp-alert dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write	T1110 - Brute Force	1 Rules

Vendor: Airlock

Product	Event Types	MITRE ATT&CK® TTP	Content
Web Application Firewall	app-activity-failed app-login failed-app-login file-delete file-download file-upload file-write network-connection-failed network-connection-successful vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Amazon

Product	Event Types	MITRE ATT&CK® TTP	Content
AWS Bastion	failed-logon remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Auth0

Product	Event Types	MITRE ATT&CK® TTP	Content
Auth0	account-password-change-failed app-login failed-logon security-alert	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Barracuda

Product	Event Types	MITRE ATT&CK® TTP	Content
Barracuda Firewall	failed-vpn-login network-connection-failed network-connection-successful remote-logon vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: CDS

Product	Event Types	MITRE ATT&CK® TTP	Content
CDS	failed-logon remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: CatoNetworks

Product	Event Types	MITRE ATT&CK® TTP	Content
Cato Cloud	network-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1110 - Brute Force	1 Rules 1 Models

Vendor: Check Point

Product	Event Types	MITRE ATT&CK® TTP	Content
Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models
NGFW	app-login authentication-failed authentication-successful dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1110 - Brute Force	1 Rules 1 Models
Security Gateway	failed-vpn-login vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Cisco

Product	Event Types	MITRE ATT&CK® TTP	Content
Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules 1 Models
AnyConnect	process-network vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models
Duo Access Security	account-creation account-deleted account-lockout account-password-reset app-activity app-login authentication-failed authentication-successful failed-app-login failed-vpn-login vpn-login	T1110 - Brute Force	1 Rules
Firepower	authentication-successful dns-query dns-response failed-vpn-login file-download nac-logon netflow-connection network-alert network-connection-failed network-connection-successful process-created security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1110 - Brute Force	1 Rules 1 Models
ISE	app-activity authentication-failed authentication-successful computer-logon config-change failed-logon failed-vpn-login nac-failed-logon nac-logon remote-logon vpn-login vpn-logout	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules 1 Models
Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1110 - Brute Force	1 Rules 1 Models

Vendor: Citrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Citrix Netscaler	app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models
Citrix Netscaler VPN	authentication-failed authentication-successful remote-access remote-logon vpn-connection vpn-logout web-activity-allowed	T1110 - Brute Force	1 Rules 1 Models

Vendor: CyberArk

Product	Event Types	MITRE ATT&CK® TTP	Content
CyberArk Vault	account-password-change account-password-change-failed account-password-reset account-switch app-activity app-activity-failed app-login failed-app-login failed-logon file-delete file-permission-change file-read file-write remote-logon security-alert	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Delinea

Product	Event Types	MITRE ATT&CK® TTP	Content
Centrify Authentication Service	account-password-reset authentication-failed authentication-successful failed-logon local-logon remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Dell

Product	Event Types	MITRE ATT&CK® TTP	Content
RSA Authentication Manager	account-lockout app-login authentication-failed authentication-successful failed-app-login	T1110 - Brute Force	1 Rules
SonicWALL Aventail	vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Dropbox

Product	Event Types	MITRE ATT&CK® TTP	Content
Dropbox	app-activity app-login file-delete file-download file-permission-change file-read file-write vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: ESET

Product	Event Types	MITRE ATT&CK® TTP	Content
ESET Endpoint Security	app-login authentication-failed authentication-successful failed-logon network-alert security-alert web-activity-denied	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Entrust

Product	Event Types	MITRE ATT&CK® TTP	Content
IdentityGuard	account-lockout authentication-failed authentication-successful	T1110 - Brute Force	1 Rules

Vendor: Extreme Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Zebra wireless LAN management	failed-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: F5

Product	Event Types	MITRE ATT&CK® TTP	Content
F5 BIG-IP	account-password-change-failed authentication-failed authentication-successful failed-logon failed-vpn-login network-connection-successful remote-logon vpn-login vpn-logout	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules 1 Models
F5 BIG-IP Access Policy Manager (APM)	authentication-failed authentication-successful vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Forescout

Product	Event Types	MITRE ATT&CK® TTP	Content
EyeInspect	failed-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Fortinet

Product	Event Types	MITRE ATT&CK® TTP	Content
Fortinet VPN	authentication-successful failed-vpn-login vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: GoAnywhere

Product	Event Types	MITRE ATT&CK® TTP	Content
GoAnywhere MFT	failed-logon file-delete file-download file-upload remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: IBM

Product	Event Types	MITRE ATT&CK® TTP	Content
IBM Sterling B2B Integrator	app-activity failed-logon member-added member-removed remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Ipswitch

Product	Event Types	MITRE ATT&CK® TTP	Content
MoveIt DMZ	account-password-change authentication-failed authentication-successful failed-logon file-delete file-download file-upload file-write member-added	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Juniper Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Juniper Networks Pulse Secure	account-deleted app-activity authentication-failed authentication-successful failed-vpn-login network-connection-failed vpn-connection vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models
Juniper VPN	account-deleted authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout web-activity-allowed	T1110 - Brute Force	1 Rules 1 Models

Vendor: Linux

Product	Event Types	MITRE ATT&CK® TTP	Content
SSH	failed-logon remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Microsoft

Product	Event Types	MITRE ATT&CK® TTP	Content
Defender ATP	app-login batch-logon failed-logon file-delete file-write local-logon member-added member-removed process-created process-network process-network-failed remote-access remote-logon security-alert service-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules
Routing and Remote Access Service	authentication-successful vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models
Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon config-change dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login vpn-logout winsession-disconnect workstation-locked workstation-unlocked	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	11 Rules 1 Models

Vendor: NCP

Product	Event Types	MITRE ATT&CK® TTP	Content
NCP	authentication-failed vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: NetMotion Wireless

Product	Event Types	MITRE ATT&CK® TTP	Content
NetMotion Wireless	vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Netwrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Netwrix Auditor	account-disabled account-lockout account-password-reset account-unlocked app-activity app-login database-access database-failed-login ds-access failed-app-login failed-logon file-delete file-write member-added member-removed	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules

Vendor: Nortel Contivity

Product	Event Types	MITRE ATT&CK® TTP	Content
Nortel Contivity VPN	vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Okta

Product	Event Types	MITRE ATT&CK® TTP	Content
Okta Adaptive MFA	account-creation account-enabled account-lockout account-password-change account-password-reset app-activity app-activity-failed app-login authentication-failed authentication-successful failed-app-login member-added member-removed security-alert	T1110 - Brute Force	1 Rules

Vendor: OneSpan

Product	Event Types	MITRE ATT&CK® TTP	Content
OneSpan	failed-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Palo Alto Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
GlobalProtect	app-activity authentication-failed authentication-successful config-change failed-logon failed-vpn-login remote-logon vpn-login vpn-logout	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules 1 Models

Vendor: Quest Software

Product	Event Types	MITRE ATT&CK® TTP	Content
Change Auditor	account-lockout account-password-change account-password-change-failed account-unlocked ds-access failed-ds-access failed-logon file-delete file-read file-write local-logon member-added member-removed remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules

Vendor: RSA

Product	Event Types	MITRE ATT&CK® TTP	Content
SecurID	authentication-failed authentication-successful vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: SAP

Product	Event Types	MITRE ATT&CK® TTP	Content
SAP	account-creation account-deleted account-lockout account-password-change account-unlocked app-activity app-login authentication-failed authentication-successful failed-app-login file-download file-write gcp-bucket-create gcp-compute-list gcp-function-write gcp-general-activity gcp-instance-screenshot gcp-role-list gcp-serviceaccount-creds-write gcp-storage-list gcp-storageobject-read gcp-storageobject-write remote-logon	T1110 - Brute Force	1 Rules

Vendor: SSL Open VPN

Product	Event Types	MITRE ATT&CK® TTP	Content
SSL Open VPN	app-activity app-activity-failed authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Sailpoint

Product	Event Types	MITRE ATT&CK® TTP	Content
SecurityIQ	account-creation account-deleted account-lockout account-password-reset file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed	T1110 - Brute Force	1 Rules

Vendor: SecureNet

Product	Event Types	MITRE ATT&CK® TTP	Content
SecureNet	vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models

Vendor: Sonicwall

Product	Event Types	MITRE ATT&CK® TTP	Content
Sonicwall	failed-vpn-login network-alert remote-logon vpn-login vpn-logout web-activity-allowed web-activity-denied	T1110 - Brute Force	1 Rules 1 Models

Vendor: Sophos

Product	Event Types	MITRE ATT&CK® TTP	Content
Sophos XG Firewall	app-login failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1110 - Brute Force	1 Rules 1 Models

Vendor: Symantec

Product	Event Types	MITRE ATT&CK® TTP	Content
Symantec Critical System Protection	account-switch config-change failed-logon local-logon member-added member-removed	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Unix

Product	Event Types	MITRE ATT&CK® TTP	Content
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-permission-change file-read file-write kerberos-logon local-logon member-added member-removed network-connection-failed process-created process-created-failed remote-access remote-logon security-alert task-created	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	10 Rules
Unix Auditd	account-creation account-deleted account-password-change account-switch app-activity-failed authentication-failed authentication-successful failed-logon local-logon member-added member-removed process-created process-created-failed remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: VMS Software

Product	Event Types	MITRE ATT&CK® TTP	Content
OpenVMS	batch-logon failed-logon file-delete file-read remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: VMware

Product	Event Types	MITRE ATT&CK® TTP	Content
VMware VCenter	app-activity app-login failed-logon remote-logon	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Zeek

Product	Event Types	MITRE ATT&CK® TTP	Content
Zeek Network Security Monitor	app-activity authentication-failed authentication-successful computer-logon dlp-email-alert-in dlp-email-alert-out dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-failed network-connection-successful ntlm-logon remote-access remote-logon share-access web-activity-allowed web-activity-denied	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force T1110.003 - T1110.003	9 Rules

Vendor: Zscaler

Product	Event Types	MITRE ATT&CK® TTP	Content
Zscaler Private Access	vpn-login vpn-logout	T1110 - Brute Force	1 Rules 1 Models