Threat events
IBM® Security Verify generates alerts to determine whether traffic is suspicious. It also provides details on proactive remediation actions if traffic is determined to be suspicious.
IBM Security Verify generates the following types of alerts.
Actionable IP addresses from XFE
- Scanning IPs
- Malware
- Bots
- Botnet Command and Control Server (c2server)
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the type of events generated due to activity from actionable IP addresses | top5_affected_event_type |
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs |
|
Identify the severity of the alert |
|
If requests from actionable IP addresses are failed | top5_affected_data_cause gives more information on the cause of
failures. |
Identify affected usernames | top5_affected_data_username shows the top 5 accounts that are mostly used
during the attack. |
Identify if any account was accessed successfully from suspicious IPs | compromised_users |
Identify the affected application | top5_affected_data_applicationname |
In addition to the mentioned investigation criteria and attributes,
cross-verify the following detail:
|
- Possible remediation actions
-
- Block the IP address if traffic looks suspicious.
- Block user accounts if they are found to be compromised.
- Sample
-
{ "rule_id": "XFE_ACTIONABLE_IP", "rule_name": "Actionable IP addresses from XFE", "summary": "Actionable IP addresses from XFE: 115 risky events are observed from 2022-12-17 11:00:00 UTC to 2022-12-17 12:00:00 UTC.", "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc')]", "component": "Login activity", "anomalous_event_count": 115, "normal_traffic_volume": 0, "start_time": 1671274800000, "end_time": 1671278400000, "date": "2022-12-17", "severity": "critical", "index": "event-*", "impacted_user_count": 22, "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], ['193.118.55.162', 100.0, 5, 0], ['103.153.190.238', 40.0, 2, 3], ['209.141.36.112', 100.0, 1, 0], ['198.235.24.173', 100.0, 1, 0], ['140.213.15.89', 33.33, 1, 2], ['197.210.53.113', 33.33, 1, 2], ['47.9.0.237', 25.0, 1, 3], ['164.100.133.253', 0.0, 0, 2], ['197.210.70.62', 0.0, 0, 1], ['171.245.218.108', 0.0, 0, 1], ['116.50.59.204', 0.0, 0, 1], ['102.88.62.82', 0.0, 0, 1], ['223.196.170.127', 0.0, 0, 2], ['180.247.45.59', 0.0, 0, 1], ['129.205.124.227', 0.0, 0, 7], ['105.113.20.110', 0.0, 0, 2], ['213.55.85.89', 0.0, 0, 3], ['105.178.43.219', 0.0, 0, 7], ['103.134.0.5', 0.0, 0, 1], ['103.28.246.254', 0.0, 0, 3], ['102.89.34.16', 0.0, 0, 4], ['197.211.58.30', 0.0, 0, 5], ['121.101.133.181', 0.0, 0, 2]]", "anomalous_suspicious_ips": [ "193.118.55.162", "103.153.190.238", "209.141.36.112", "198.235.24.173", "140.213.15.89", "197.210.53.113", "47.9.0.237", "164.100.133.253", "197.210.70.62", "171.245.218.108", "116.50.59.204", "102.88.62.82", "223.196.170.127", "180.247.45.59", "129.205.124.227", "105.113.20.110", "213.55.85.89", "105.178.43.219", "103.134.0.5", "103.28.246.254", "102.89.34.16", "197.211.58.30", "121.101.133.181" ], "compromised_users": "{'105.178.43.219': ['abcd@gmail.com'], '129.205.124.227': ['efgh@gmail.com'], '197.211.58.30': ['sam@GMAIL.COM'], '102.89.34.16': ['oda@gmail.com'], '103.153.190.238': ['juni@gmail.com'], '103.28.246.254': ['giri@outlook.com'], '213.55.85.89': ['nag@gmail.com'], '47.9.0.237': ['azam@gmail.com'], '105.113.20.110': ['oye@gmail.com'], '121.101.133.181': ['fahim@gmail.com'], '140.213.15.89': ['asda@gmail.com'], '164.100.133.253': ['bharg@tcs.com'], '197.210.53.113': ['luya@gmail.com'], '223.196.170.127': ['bhavya@kyndryl.com'], '102.88.62.82': ['mimi@gmail.com'], '103.134.0.5': ['leo@gmail.com'], '116.50.59.204': ['venkat@unilever.com'], '171.245.218.108': ['arush@gmail.com'], '180.247.45.59': ['sasds@gmail.com'], '197.210.70.62': ['chia@gmail.com']}", "xfe_threat_insight": "Found 23 known malicious IPs, having categories: bots: 22, c2server: 0, mw: 0, scanning: 2", "xfe_confirmed_malicious_ips": [ "129.205.124.227", "116.50.59.204", "102.89.34.16", "193.118.55.162", "103.153.190.238", "180.247.45.59", "164.100.133.253", "197.210.70.62", "171.245.218.108", "198.235.24.173", "102.88.62.82", "213.55.85.89", "105.178.43.219", "103.134.0.5", "209.141.36.112", "103.28.246.254", "197.211.58.30", "47.9.0.237", "197.210.53.113", "223.196.170.127", "121.101.133.181", "105.113.20.110", "140.213.15.89" ], "top5_affected_event_type": "{'risk': 44, 'authentication': 36, 'sso': 31, 'management': 4}", "most_significant_event_type": [ "risk", "authentication", "sso" ], "top5_affected_tenantname": "{'tenant1.abc.com': 92, 'tenant2.abc.com': 23}", "most_significant_tenantname": [ "tenant1.abc.com" ], "top5_affected_data_subtype": "{'oidc': 23, 'user_password': 17, 'mfa': 11, 'saml': 8, 'token-exchange': 7}", "most_significant_data_subtype": [ "oidc", "user_password", "mfa" ], "top5_affected_data_scope": "{'openid': 20, 'openid email': 2, 'openid profile': 1}", "most_significant_data_scope": [ "openid" ], "top5_affected_data_cause": "{ 'Token Exchange Successful': 7, \"CSIAC4610E Unable to retrieve the application's configuration for the Entity ID https://18.135.137.31/samlsp.em7?action=metadata because there is no match found.\": 5, 'Authenticated user \"pascal@gmail.com\" successfully.': 2, 'Authenticated user \"negu@gmail.com\" successfully.': 2, 'The system failed to authenticate user \"juni@gmail.com\" because of \"INVALID_CREDS\".': 2 }", "most_significant_data_cause": [ "Token Exchange Successful", "CSIAC4610E Unable to retrieve the application's configuration for the Entity ID https://18.135.137.31/samlsp.em7?action=metadata because there is no match found.", "Authenticated user \"pascal@gmail.com\" successfully." ], "top5_affected_data_sourcetype": "{'clouddirectory': 24, 'oidc': 7, 'saml': 1}", "most_significant_data_sourcetype": [ "clouddirectory", "oidc" ], "top5_affected_data_providerid": "{'https://18.135.137.31/samlsp.em7?action=metadata': 5, 'https://18.135.144.228/samlsp.em7?action=metadata': 1, 'https://3.123.117.242/samlsp.em7?action=metadata': 1, 'https://tenant1.abc.com/saml/sps/saml20ip/saml20': 1, 'https://sso.everbridge.net/GNMManager': 1}", "most_significant_data_providerid": [ "https://18.135.137.31/samlsp.em7?action=metadata", "https://18.135.144.228/samlsp.em7?action=metadata", "https://3.123.117.242/samlsp.em7?action=metadata" ], "top5_affected_data_grant_type": "{'authorization_code': 18, 'resource_owner': 7, 'implicit': 5}", "most_significant_data_grant_type": [ "authorization_code", "resource_owner" ], "top5_affected_data_mfamethod": "{'Email OTP': 15}", "most_significant_data_mfamethod": [ "Email OTP" ], "top5_affected_data_username": "{'aze@gmail.com': 16, 'pascal@gmail.com': 12, 'SAM@GMAIL.COM': 10, 'oda@gmail.com': 8, 'UNKNOWN': 7}", "most_significant_data_username": [ "aze@gmail.com", "pascal@gmail.com", "SAM@GMAIL.COM", "oda@gmail.com" ], "top5_affected_geoip_country_name": "{'Nigeria': 46, 'India': 20, 'Indonesia': 20, 'Rwanda': 12, 'Netherlands': 5}", "most_significant_geoip_country_name": [ "Nigeria", "India", "Indonesia" ] }
Potential credential stuffing (PCS) attack
This alert indicates a potential credential stuffing attack. A sudden increase in username password failures was detected. The activity level is compared to the normal SSO behavior or Auth events in the last 14 days. The alert contains details on any rouge IP addresses that were found during the attack.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs |
|
Identify the severity of the alert |
|
Fetch more information on the cause of failures | top5_affected_data_cause |
Identify affected usernames | top5_affected_data_username shows the top 5 accounts that are mostly used
during the attack. |
Identify if any account was accessed successfully from suspicious IPs | compromised_users |
Identify the affected application | top5_affected_data_applicationname |
Identify traffic volume | normal_traffic_volume provides a baseline count based on the last 14 days of
events that are compared with events in the last 1 hour. anomalous_event_count is
the difference between total events in the last 1 hr and
normal_traffic_volume . |
Debug affected components during the attack or for operational issues | The following attributes can be analyzed to get further context for the investigation:
Note: The number of events for each of the values corresponding to the above attributes in
their respective
top5_affected_<FIELD NAME> attribute |
- Some known analysis patterns
-
- Identify
xfe_confirmed_malicious_ips
list. If any IP is found in the category, it can be directly blocked or can be reported as an attack with high confidence. - Look at the statistics of IPs in
suspicious_ips
list.- If most of the failed events are from single IP and the remaining all have less number of
failure events, then someone might have run a script or application by configuring a wrong username
or password (Identify valid username(s) accessed from the IP). Also, look at the cause of failure
and
top5_affected_data_applicationname
to see whether it is one of the known issues. - If multiple IPs have a significant failure count in the suspicious IP list, then it is highly
likely to be an attack. Identify the
top5_geoip_country_name
in the alert and also the country and username distribution for the high failure suspicious IPs individually. - If failures are for a specific application, then it might be due to misconfiguration of the application. Check with the application owner.
- If most of the failed events are from single IP and the remaining all have less number of
failure events, then someone might have run a script or application by configuring a wrong username
or password (Identify valid username(s) accessed from the IP). Also, look at the cause of failure
and
- For authentication events, if most failure causes have strings like
INVALID_CREDS
in them, then it might be an attack.
- Identify
- Possible remediation actions
-
- If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
- If confirmed as an attack, then block the IPs in
anomalous_suspicious_ips
attribute. - Accounts that were successfully logged in from suspicious IPs can potentially be compromised.
The potentially compromised usernames corresponding to each suspicious IP can be found in
compromised_users
attribute. For compromised accounts, decide whether you want to reset the passwords or disable these accounts.
- Sample alert
-
{ "rule_id": "CREDENTIAL_STUFFING_SSO", "rule_name": "Potential credential stuffing attack (SSO)", "summary": "Potential credential stuffing attack (SSO): 31348 anomalous events are observed, beyond normal traffic volume, from 2022-11-23 17:00:00 UTC to 2022-11-23 18:00:00 UTC.", "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc'), ('tenantname', 'tenant1.abc.com'), ('data.result', 'failure')]", "component": "Login activity", "anomalous_event_count": 31348, "normal_traffic_volume": 1004, "start_time": 1669222800000, "end_time": 1669226400000, "date": "2022-11-23", "severity": "critical", "index": "event-sso-*", "impacted_user_count": 32090, "impacted_apps_count": 5, "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], ['52.117.163.162', 98.72, 10517, 136], ['169.50.223.22', 98.53, 5502, 82], ['169.50.223.24', 98.42, 5431, 87], ['169.59.129.120', 98.44, 5242, 83], ['169.59.129.116', 98.67, 5185, 70]]", "anomalous_suspicious_ips": [ "169.50.223.22", "169.50.223.24", "169.59.129.116", "169.59.129.120", "52.117.163.162" ], "compromised_users": "{'52.117.163.162': ['Aroh@gmail.com', 'Carb@aol.com', 'Sha@gmail.com'], '169.50.223.24': ['Thar@univ.jfn.ac.lk', 'Tn@gmail.com', 'ain@gmail.com'], '169.59.129.120': ['IBM@mailinator.com', '118@umail.ucc.ie', '229@qq.com', '405@qq.com'], '169.50.223.22': ['IBM@mailinator.com', '4A8@stust.edu.tw', '4A8@stust.edu.tw'], '169.59.129.116': ['IBM@mailinator.com', '202@student.act.edu']}", "xfe_threat_insight": "Found 1 known malicious IPs, having categories: anonsvcs: 0, bots: 0, c2server: 0, mw: 1, scanning: 0.", "xfe_confirmed_malicious_ips": ['52.117.163.162'], ], "top5_affected_tenantname": "{'tenant1.abc.com': 32352}", "most_significant_tenantname": [ "tenant1.abc.com" ], "top5_affected_data_subtype": "{'oidc': 32352}", "most_significant_data_subtype": [ "oidc" ], "top5_affected_data_scope": "{'openid': 32352}", "most_significant_data_scope": [ "openid" ], "top5_affected_data_cause": "{'CSIAQ0264E The user name or password is invalid.': 32321, 'CSIAQ0264E El nombre de usuario o la contraseña no es válido.': 12, 'CSIAQ0264E O nome do usuário ou a senha é inválida.': 9, 'CSIAQ0264E 用户名或密码无效。': 4, 'CSIAQ0264E 사용자 이름 또는 비밀번호가 올바르지 않습니다.': 2}", "most_significant_data_cause": [ "CSIAQ0264E The user name or password is invalid." ], "top5_affected_data_applicationname": "{'urx_next': 31877, 'ABC_PROD_CLOUD': 347, 'ABC Cloud IAM production - global': 117, 'ABC Cloud IAM staging - global': 7, 'ABC Cloud IAM integrationtest': 4}", "most_significant_data_applicationname": [ "urx_next" ], "top5_affected_data_client_name": "{'urx_next': 31877, 'ABC_PROD_CLOUD': 347, 'ABC Cloud IAM production - global': 117, 'ABC Cloud IAM staging - global': 7, 'ABC Cloud IAM integrationtest': 4}", "most_significant_data_client_name": [ "urx_next" ], "top5_affected_data_redirecturl": "{'UNKNOWN': 32352}", "most_significant_data_redirecturl": [ "UNKNOWN" ], "top5_affected_data_providerid": "{}", "most_significant_data_providerid": [], "top5_affected_data_username": "{'wsa@ibm.com': 319, 'arm@gmail.com': 17, 'armo@gmail.com': 9, '123@mail.ru': 6, 'e_epps@ymail.com': 6}", "most_significant_data_username": [ "wsa@ibm.com" ], "top5_affected_geoip_country_name": "{'United States': 32334, 'Australia': 17, 'United Kingdom': 1}", "most_significant_geoip_country_name": [ "United States" ] }
Multiple failed login attempts from IP address
This alert indicates either a brute force or a credential stuffing attack. A sudden increase in failed logins from an IP address was detected. The activity level is compared to the normal SSO behavior or Auth events in the last 7 days.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs |
|
Identify the severity of the alert |
|
Fetch information on the cause of failures | top5_affected_data_cause helps determine whether failures are due to any
operational issue. |
Identify affected usernames | top5_affected_data_username shows the top 5 accounts that are mostly used
during the attack. |
Identify if any account was accessed successfully from suspicious IPs | compromised_users |
Identify the affected application | top5_affected_data_applicationname |
Identify traffic volume | normal_traffic_volume provides a baseline count based on the last 7 days of
events that are compared with events in the last 1 hour. anomalous_event_count is
the difference between total events in the last 1 hr and
normal_traffic_volume . |
Debug affected components during the attack or for operational issues | The following attributes can be analyzed to get further context for the investigation:
Note: The number of events for each of the values corresponding to the above attributes in
their respective
top5_affected_<FIELD NAME> attribute |
In addition to the already mentioned investigation criteria and
attributes, cross-verify the following details:
|
- Some known analysis patterns
-
- Identify
xfe_confirmed_malicious_ips
list, if found positive, then block that IP. - Check for the number of Multiple Failed Login alerts that are generated in that hour then
identify
top5_affected_data_cause
,top5_affected_data_applicationname
, andtop5_affected_data_username
.- If the traffic is from a specific application and a specific user, then maybe someone configured the wrong username/password and ran a script for something. Confirm if it's legitimate traffic or not.
- If the traffic is coming from multiple users - Block the IP (unless it is some VPN or proxy IP
address). If the IP is VPN or proxy IP, then identify
top5_affected_data_cause
to determine whether it is due to any operational issues. - If multiple Alerts are found in one hour - Identify
top5_affected_tenantname
andtop5_affected_data_username
for each alert. If multiple IPs have the most failures for a single tenant and from multiple users, it can possibly be an attack or major application or system failure.
- Identify
- Possible remediation actions
-
- If unsure whether it is an attack, monitor the traffic to determine whether failures are decreasing or increasing.
- If confirmed as an attack, then block the IPs in
anomalous_suspicious_ips
attribute. - Accounts that were successfully logged in from suspicious IPs can potentially be compromised.
The potentially compromised usernames corresponding to each suspicious IP can be found in
compromised_users
attribute. For compromised accounts, decide whether you want to reset the passwords or disable these accounts.
- Sample alert
-
{ "rule_id": "MULTIPLE_FAILED_LOGIN_AUTH", "rule_name": "Multiple failed login from an IP address (Auth)", "summary": "Multiple failed login from an IP address (Auth): 5597 anomalous events are observed, beyond normal traffic volume, from 2023-01-10 17:00:00 UTC to 2023-01-10 18:00:00 UTC.", "source": "[('data.origin', '165.155.173.54'), ('data.result', 'failure')]", "component": "Login activity", "anomalous_event_count": 5597, "normal_traffic_volume": 0, "start_time": 1673370000000, "end_time": 1673373600000, "date": "2023-01-10", "severity": "critical", "index": "event-authentication-*", "impacted_user_count": 17, "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], ['165.155.173.54', 98.45, 5597, 88]]", "anomalous_suspicious_ips": [ "165.155.173.54" ], "compromised_users": "{'165.155.173.54': ['serafina', 'alessi', 'donyg', 'evanb', 'joelr', 'taqb', 'anthony', 'heaven', 'jenny', 'jessica']}", "xfe_threat_insight": "Found 0 known malicious IPs.", "xfe_confirmed_malicious_ips": [], ], "top5_affected_tenantname": "{'tenant1.abc.com': 5593, 'tenant2.abc.com': 4}", "most_significant_tenantname": [ "idpcloud.nycenet.edu" ], "top5_affected_data_subtype": "{'user_password': 5596, 'mfa': 1}", "most_significant_data_subtype": [ "user_password" ], "top5_affected_data_scope": "{}", "most_significant_data_scope": [], "top5_affected_data_cause": "{'The system failed to authenticate user \"aariz\" because of \"INVALID_CREDS\".': 5579, 'The system failed to authenticate user \"anthony\" because of \"INVALID_CREDS\".': 2, 'The system failed to authenticate user \"mtorr\" because of \"INVALID_CREDS\".': 2, 'CSIAH2417E The one-time password that you submitted was invalid. Submit a valid one-time password.': 1, 'The system failed to authenticate user \"aless\" because of \"INVALID_CREDS\".': 1}", "most_significant_data_cause": [ "The system failed to authenticate user \"aari\" because of \"INVALID_CREDS\"." ], "top5_affected_data_sourcetype": "{'clouddirectory': 5596}", "most_significant_data_sourcetype": [ "clouddirectory" ], "top5_affected_data_providerid": "{}", "most_significant_data_providerid": [], "top5_affected_data_grant_type": "{}", "most_significant_data_grant_type": [], "top5_affected_data_mfamethod": "{'SMS OTP': 1}", "most_significant_data_mfamethod": [ "SMS OTP" ], "top5_affected_data_username": "{'aari': 5579, 'anthony': 2, 'mtor': 2, 'ANor': 1, 'aless': 1}", "most_significant_data_username": [ "aari" ], "top5_affected_geoip_country_name": "{'United States': 5597}", "most_significant_geoip_country_name": [ "United States" ] }
Abnormal number of failed SSO/Authentication events observed per tenant
This alert indicates either a brute force or credential stuffing attack, or operational issues.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs |
|
Identify the severity of the alert |
|
Fetch information on the cause of failures | top5_affected_data_cause helps determine whether failures are due to any
operational issue. |
Identify affected usernames | top5_affected_data_username shows the top 5 accounts that are mostly used
during the attack. |
Identify the affected application | top5_affected_data_applicationname |
Identify traffic volume | normal_traffic_volume provides a baseline count based on the last 14 days of
events that are compared with events in the last 1 hour. anomalous_event_count is
the difference between total events in the last 1 hr and
normal_traffic_volume . |
Debug affected components during the attack or for operational issues | The following attributes can be analyzed to get further context for the investigation:
Note: The number of events for each of the values corresponding to the above attributes in
their respective
top5_affected_<FIELD NAME> attribute |
In addition to the already mentioned investigation criteria and
attributes, cross-verify the following details:
|
- Possible remediation actions
-
- If unsure whether it is an attack, monitor the traffic to determine whether failures are decreasing or increasing.
- If confirmed as an attack, then block the IPs in
anomalous_suspicious_ips
attribute. - Accounts that were successfully logged in from suspicious IPs can potentially be compromised.
The potentially compromised usernames corresponding to each suspicious IP can be found in
compromised_users
attribute. For compromised accounts, decide whether you want to reset the passwords or disable these accounts.
- Sample alert
-
{ "rule_id": "TENANT_FAILED_SSO_EVENTS", "rule_name": "Abnormal number of failed SSO events observed per tenant.", "summary": "Abnormal number of failed SSO events observed per tenant.: 24456 anomalous events are observed, beyond normal traffic volume, from 2022-12-19 10:00:00 UTC to 2022-12-19 11:00:00 UTC.", "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc'), ('tenantname', 'tenant1.abc.com'), ('data.result', 'failure')]", "component": "Login activity", "anomalous_event_count": 24456, "normal_traffic_volume": 711, "start_time": 1671444000000, "end_time": 1671447600000, "date": "2022-12-19", "severity": "critical", "index": "event-sso-*", "impacted_user_count": 88, "impacted_apps_count": 37, "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], ['177.241.73.204', 100.0, 24777, 0], ['129.42.21.2', 100.0, 26, 0], ['129.42.18.2', 100.0, 24, 0], ['129.42.19.2', 100.0, 24, 0], ['89.64.54.76', 100.0, 19, 0], ['52.116.134.146', 100.0, 12, 0], ['122.161.79.4', 100.0, 11, 0]]", "anomalous_suspicious_ips": [ "122.161.79.4", "177.241.73.204", "89.64.54.76" ], "xfe_threat_insight": "Found 1 known malicious IPs, having categories: anonsvcs: 0, bots: 1, c2server: 0, mw: 0, scanning: 0`", "xfe_confirmed_malicious_ips": ['122.161.79.4'], ], "top5_affected_tenantname": "{'tenant1.abc.com': 25167}", "most_significant_tenantname": [ "tenant1.abc.com" ], "top5_affected_data_subtype": "{'oidc': 25167}", "most_significant_data_subtype": [ "oidc" ], "top5_affected_data_scope": "{'openid email': 24790, 'openid': 259, 'openid profile': 2, 'openid profile email': 1}", "most_significant_data_scope": [ "openid email" ], "top5_affected_data_cause": "{'CSIAQ0178E Login is required. The request cannot be processed without authentication.': 24777, 'CSIAQ0278E User is not authorized to access the application due to policy constraints.': 150, 'CSIAQ0158E The [authorization_grant] of type [authorization_code] does not exist or is invalid.': 70, 'CSIAQ0158E The [authorization_grant] of type [refresh_token] does not exist or is invalid.': 31, 'CSIAQ0158E タイプ [refresh_token] の [authorization_grant] は存在しないか無効です。': 13}", "most_significant_data_cause": [ "CSIAQ0178E Login is required. The request cannot be processed without authentication." ], "top5_affected_data_applicationname": "{'Gaz-HAT-Production': 24777, 'abc-refresh-service-prod': 107, 'ABCProductionOIDC': 72, 'ABC Publisher': 63, 'FastPassPRDClient': 30}", "most_significant_data_applicationname": [ "Gaz-HAT-Production" ], "top5_affected_data_client_name": "{'ABC-HAT-Production': 24777, 'ABCrefresh-service-prod': 107, 'ABCProductionOIDC': 72, 'abc Publisher': 63, 'abcFastPassPRDClient': 30}", "most_significant_data_client_name": [ "Gaz-HAT-Production" ], "top5_affected_data_redirecturl": "{'https://gaz.tuc.stglabs.ibm.com/oidc/callback/': 24777, 'https://w3-authorization-service.us-south-k8s.intranet.ibm.com/sso/callback': 88, 'https://w3.ibm.com/w3publisher/redirect.html': 63, 'UNKNOWN': 50, 'https://fastpass.w3cloud.ibm.com:443/oidcclient/redirect/FastPassPRDClient': 30}", "most_significant_data_redirecturl": [ "https://gaz.tuc.stglabs.ibm.com/oidc/callback/" ], "top5_affected_data_providerid": "{}", "most_significant_data_providerid": [], "top5_affected_data_username": "{'UNKNOWN': 24978, 'katar@ocean.ibm.com': 19, 'Jaya@ocean.ibm.com': 17, 'shiv@ocean.ibm.com': 11, 'Neha@ocean.ibm.com': 10}", "most_significant_data_username": [ "UNKNOWN" ], "top5_affected_geoip_country_name": "{'Mexico': 24777, 'United States': 192, 'India': 84, 'Poland': 26, 'Japan': 22}", "most_significant_geoip_country_name": [ "Mexico" ] }
Frequent authentication from a single user
This alert indicates either a brute force or credential stuffing attack, or operational issues.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the severity of the alert |
|
Identify affected usernames | top5_affected_data_username shows the top 5 accounts that are mostly used
during the attack. |
Identify the affected application | top5_affected_data_applicationname |
Identify traffic volume | normal_traffic_volume provides a baseline count based on the last 7 days of
events that are compared with events in the last 1 hour. anomalous_event_count is
the difference between total events in the last 1 hr and
normal_traffic_volume . |
Debug affected components during the attack or for operational issues | The following attributes can be analyzed to get further context for the investigation:
Note: The number of events for each of the values corresponding to the above attributes in
their respective
top5_affected_<FIELD NAME> attribute |
In addition to the already mentioned investigation criteria and
attributes, cross-verify the following details:
|
- Some known analysis patterns
-
- Identify if multiple alerts are coming in the same interval for a single tenant. If yes, then
check for any known operational issue for the tenant, otherwise look at the
top5_affected_data_applicationname
attribute to identify the application responsible for generating the alert. - If the alert is being generated from the same source (that is, same tenant URL and username) for multiple hours, the user can be blocked for some duration (For example, 24 hrs).
- Look for IP address and application-name distribution to identify if it's a distributed attack.
- Identify if multiple alerts are coming in the same interval for a single tenant. If yes, then
check for any known operational issue for the tenant, otherwise look at the
- Possible remediation actions
-
- If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
- If traffic is identified as suspicious, then block the account for which the alert is generated as proactive remediation.
- Sample alert
-
{ "rule_id": "FREQUENT_AUTH_SINGLEUSER_AUTH", "rule_name": "Frequent authentication from single user (Auth)", "summary": "Frequent authentication from single user (Auth): 16283 anomalous events are observed, beyond normal traffic volume, from 2022-12-26 10:00:00 UTC to 2022-12-26 11:00:00 UTC.", "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc'), ('data.username', 'MSurk'), ('data.result', 'success')]", "component": "Login activity", "anomalous_event_count": 16283, "normal_traffic_volume": 0, "start_time": 1672048800000, "end_time": 1672052400000, "date": "2022-12-26", "severity": "critical", "index": "event-authentication-*", "impacted_user_count": 1, "anomalous_suspicious_ips": [ "12.153.148.57" ], "top5_affected_tenantname": "{'tenant1.abc.com': 16283}", "most_significant_tenantname": [ "tenant1.abc.com" ], "top5_affected_data_cause": "{'Authenticated user \"MSurk\" successfully.': 16283}", "most_significant_data_cause": [ "Authenticated user \"MSurk\" successfully." ], "top5_affected_data_subtype": "{'user_password': 16283}", "most_significant_data_subtype": [ "user_password" ], "top5_affected_data_scope": "{}", "most_significant_data_scope": [], "top5_affected_data_sourcetype": "{'clouddirectory': 16283}", "most_significant_data_sourcetype": [ "clouddirectory" ], "top5_affected_data_origin": "{'12.153.148.57': 16283}", "most_significant_data_origin": [ "12.153.148.57" ], "top5_affected_data_providerid": "{}", "most_significant_data_providerid": [], "top5_affected_data_grant_type": "{}", "most_significant_data_grant_type": [], "top5_affected_data_mfamethod": "{}", "most_significant_data_mfamethod": [], "top5_affected_data_username": "{'MSurk': 16283}", "most_significant_data_username": [ "MSurk" ], "top5_affected_geoip_country_name": "{'United States': 16283}", "most_significant_geoip_country_name": [ "United States" ] }
Abnormal number of MFA device enrollements
This alert indicates a brute force attack.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the severity of the alert |
|
Identify the most used mfamethod in the last 1 hour | top5_affected_data_mfamethod |
- Some known analysis patterns
-
- This alert is generated on management events. If any alert is found, then look whether it is
from a valid user or not. If the user is valid, then identify the type of authentication
(
top5_affected_data_mfamethod
) and the number of devices enrolled (anomalous_event_count
). Take action if found suspicious.
- This alert is generated on management events. If any alert is found, then look whether it is
from a valid user or not. If the user is valid, then identify the type of authentication
(
- Possible remediation actions
-
- If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
- If traffic is identified as suspicious, then block the account for which the alert is generated as proactive remediation.
- Sample alert
-
{ "rule_name": "Abnormal number of device enrollments", "rule_id": "ABNORMAL_DEVICE_ENROLLMENT", "summary": "Abnormal number of device enrollments: 20 anomalous events are observed, beyond normal traffic volume, from 2023-01-12 17:00:00 UTC to 2023-01-12 18:00:00 UTC.", "severity": "critical", "date": "2023-01-12", "start_time": "2023-01-12 17:00:00", "end_time": "2023-01-12 18:00:00", "component": "Login activity", "normal_traffic_volume": 0, "anomalous_event_count": 20, "impacted_user_count": 1, "index": "event-management-*", "most_significant_data_origin": [ "129.41.58.3" ], "top5_affected_data_username": "{'Henry': 20}", "source": "[('data.mfamethod', 'Voice OTP'), ('data.username', 'Henry')]", "most_significant_data_mfamethod": [ "Voice OTP" ], "most_significant_geoip_country_name": [ "United States" ], "most_significant_data_grant_type": [], "top5_affected_tenantname": "{'tenant1.abc.com': 20}", ], "most_significant_tenantname": [ "tenant1.abc.com" ], "top5_affected_data_origin": "{'129.41.58.3': 20}", "anomalous_suspicious_ips": [ "129.41.58.3" ], "top5_affected_geoip_country_name": "{'United States': 20}", "top5_affected_data_grant_type": "{}", "top5_affected_data_mfamethod": "{'Voice OTP': 20}", "most_significant_data_username": [ "Henry" ] }
Multiple use of compromised credentials
This alert indicates account takeover, brute force, credential stuffing.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the severity of the alert |
|
Identify the IP address trying to use the compromised credentials | In source attribute. |
Identify affected usernames | top5_affected_data_username shows the top 5 accounts that are mostly used
during the attack. |
Identify traffic volume | normal_traffic_volume provides a baseline count based on the last 7 days of
events that are compared with events in the last 1 hour. anomalous_event_count is
the difference between total events in the last 1 hr and
normal_traffic_volume . |
Debug affected components during the attack or for operational issues | The following attributes can be analyzed to get further context for the investigation:
Note: The number of events for each of the values corresponding to the above attributes in
their respective
top5_affected_<FIELD NAME> attribute |
- Some known analysis patterns
-
- Identify whether the IP is trying to access multiple users using the compromised credentials
form
top5_affected_data_username
attribute. If yes, then the IP can be blocked for some duration. - If multiple alerts were found from multiple IPs in an hour or same IP was detected by
Multiple_failed_login
orcredential_stuffing
rule, then it might be a brute force attack or credential stuffing.
- Identify whether the IP is trying to access multiple users using the compromised credentials
form
- Possible remediation actions
-
- If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
- If some user accounts were successfully accessed during the attack duration from the same IP, logout the user from all active sessions and prompt for password change, or temporarily block user as proactive remediation.
- If multiple users are getting accessed from the IP with compromised credentials, block the IP in
the
source
attribute.
- Sample alert
-
{ "rule_id": "COMPROMISED_CREDENTIALS", "rule_name": "Multiple use of compromised credentials", "summary": "Multiple use of compromised credentials: 100 anomalous events are observed, beyond normal traffic volume, from 2023-02-08 21:00:00 UTC to 2023-02-08 22:00:00 UTC.", "source": "[('data.origin', '129.41.58.3'), ('data.dict_type', 'GLOBAL')]", "component": "Login activity", "severity": "critical", "impacted_user_count": 1, "anomalous_event_count": 100, "normal_traffic_volume": 0, "date": "2023-02-08", "top5_affected_data_scope": "{}", "rule_attribute": "compromised_credentials", "top5_affected_data_username": "{'Henry': 100}", "start_time": "2023-02-08 21:00:00", "end_time": "2023-02-08 22:00:00", "index": "event-authentication-*", "most_significant_data_mfamethod": [], "most_significant_geoip_country_name": [ "United States" ], "most_significant_data_grant_type": [], "top5_affected_tenantname": "{'tenant1.abc.com': 100}", "top5_affected_data_providerid": "{}", ], "most_significant_tenantname": [ "tenant1.abc.com" ], "most_significant_data_sourcetype": [ "clouddirectory" ], "most_significant_data_scope": [], ], "top5_affected_data_subtype": "{'user_password': 100}", "most_significant_data_subtype": [ "user_password" ], "most_significant_data_providerid": [], "top5_affected_geoip_country_name": "{'United States': 100}", "top5_affected_data_grant_type": "{}", "top5_affected_data_mfamethod": "{}", "top5_affected_data_sourcetype": "{'clouddirectory': 100}", "most_significant_data_username": [ "Henry" ] }
Grouping by cause of failure
This alert indicates operational issues.
- Investigation
- Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria | Attributes |
---|---|
Identify the affected tenant URL | top5_affected_tenantname |
Identify the severity of the alert |
|
Identify affected usernames | top5_affected_data_username |
Identify traffic volume | normal_traffic_volume provides a baseline count based on the last 7 days of
events that are compared with events in the last 1 hour. anomalous_event_count is
the difference between total events in the last 1 hr and
normal_traffic_volume . |
Debug affected components during the attack or for operational issues | The following attributes can be analyzed to get further context for the investigation:
Note: The number of events for each of the values corresponding to the above attributes in
their respective
top5_affected_<FIELD NAME> attribute |
Identify the affected application and type of issue | From top5_affected_data_applicationname and the summary
attributes. |
- Possible remediation actions
-
- Based on the operational issue, it might require configuration changes on the Verify admin console or the help of Verify Support team.
- Sample alert
-
{ "rule_id": "CAUSE_OF_SSO_FAILURE", "rule_name": "Grouping by the cause of failure (SSO)", "summary": "Grouping by the cause of failure (SSO): 11314 anomalous events are observed, beyond normal traffic volume, from 2023-01-18 15:00:00 UTC to 2023-01-18 16:00:00 UTC.", "source": "[('data.cause', 'CSIAC5061E An unexpected error has occurred with a protocol module com.tivoli.am.fim.fedmgr2.protocol.GenericPocAuthenticationDelegateProtocol.'), ('data.result', 'failure')]", "component": "Login activity", "anomalous_event_count": 11314, "normal_traffic_volume": 1595, "start_time": 1674054000000, "end_time": 1674057600000, "date": "2023-01-18", "severity": "critical", "index": "event-sso-*", "impacted_user_count": 7774, "impacted_apps_count": 20, ], "top5_affected_tenantname": "{'tenant1.abc.com': 11057, 'tenant2.abc.com': 1852}", "most_significant_tenantname": [ "tenant1.abc.com" ], "top5_affected_data_subtype": "{'saml': 12420, 'WS-Fed': 489}", "most_significant_data_subtype": [ "saml" ], "top5_affected_data_scope": "{}", "most_significant_data_scope": [], "top5_affected_data_cause": "{'CSIAC5061E An unexpected error has occurred with a protocol module com.tivoli.am.fim.fedmgr2.protocol.GenericPocAuthenticationDelegateProtocol.': 12909}", "most_significant_data_cause": [ "CSIAC5061E An unexpected error has occurred with a protocol module com.tivoli.am.fim.fedmgr2.protocol.GenericPocAuthenticationDelegateProtocol." ], "top5_affected_data_applicationname": "{'ABC-365': 320, 'Google.com': 67}", "most_significant_data_applicationname": [ "ABC-365" ], "top5_affected_data_client_name": "{}", "most_significant_data_client_name": [], "top5_affected_data_redirecturl": "{}", "most_significant_data_redirecturl": [], "top5_affected_data_providerid": "{'UNKNOWN': 12472, 'urn:federation:MicrosoftOnline': 323}", "most_significant_data_providerid": [ "UNKNOWN" ], "top5_affected_data_username": "{'UNKNOWN': 86, 'jer@abc.com': 60, 'crow@abc.com': 31, 'julia': 20, 'Bryan': 11}", "most_significant_data_username": [ "UNKNOWN", "jer@abc.com", "crow@abc.com" ], "top5_affected_geoip_country_name": "{'United States': 12295, 'India': 178, 'Canada': 84, 'United Kingdom': 72, 'Mexico': 36}", "most_significant_geoip_country_name": [ "United States" ] }
For more information about threat detection, see Threat Detection in Verify.