Open High Risk score: 69

Multiple failed logon attempts followed by success

May 12, 2023 @ 09:08:33.100 · representative alert
Assignees Notes
Overview Table JSON
About
Detects a burst of failed authentication events that resolve into a successful login, a common brute-force or credential-stuffing signature.
Show rule summary ↗
Insights
Correlations
199 suppressed alerts
0 related cases  ·  1 alert related by source event
Grouped on host.name · user.name · source.ip over the last rule execution
Representative event
8 failed RDP attempts then success outside business hours on prod-jump-01 by svc_backup.
Failed logon · svc_backup09:08:31.220 · prod-jump-01
Failed logon · svc_backup09:08:31.844 · prod-jump-01
Failed logon · svc_backup09:08:32.410 · prod-jump-01
Successful logon · svc_backup09:08:33.100 · prod-jump-01
…and 195 more. Open in Timeline for the full sequence