Threat events

IBM® Security Verify generates alerts to determine whether traffic is suspicious. It also provides details on proactive remediation actions if traffic is determined to be suspicious.

IBM Security Verify generates the following types of alerts.

Actionable IP addresses from XFE

This alert indicates a possible brute force attack. High-risk IP addresses that are involved in malicious activities, such as performing password spray, and Botnet C&C were detected. The alert might indicate that some accounts were compromised within the last hour. Verify uses four categories to determine actionable IPs.
  • Scanning IPs
  • Malware
  • Bots
  • Botnet Command and Control Server (c2server)
Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the type of events generated due to activity from actionable IP addresses top5_affected_event_type
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs
  • xfe_confirmed_malicious_ips - List of actionable IPs from which SSO, Authentication, or management events are found in the last 1 hour.
  • xfe_threat_insight - Categories associated with actionable IPs. For example, "Found 3 known malicious IPs, having categories: anons - 0, bots - 3, c2server - 0, mw - 0, scanning - 0."
  • suspicious_ips - List of actionable IPs found in the last hour along with fail %, # of success, and # of failed login events for each IP.
Identify the severity of the alert
  • Critical - If 5 or more IP addresses are found from actionable IPs with risk score > 8.
  • Warning - If at least one IP address is found from actionable IPs with risk score > 6.
If requests from actionable IP addresses are failed top5_affected_data_cause gives more information on the cause of failures.
Identify affected usernames top5_affected_data_username shows the top 5 accounts that are mostly used during the attack.
Identify if any account was accessed successfully from suspicious IPs compromised_users
Identify the affected application top5_affected_data_applicationname
In addition to the mentioned investigation criteria and attributes, cross-verify the following detail:
  • If management events are generated, identify if the passwords are reset or the MFA devices are added for one or more users. This might indicate the risk of account takeover.
Possible remediation actions
  • Block the IP address if traffic looks suspicious.
  • Block user accounts if they are found to be compromised.
Sample
{
  "rule_id": "XFE_ACTIONABLE_IP",
  "rule_name": "Actionable IP addresses from XFE",
  "summary": "Actionable IP addresses from XFE: 115 risky events are observed from 2022-12-17 11:00:00 UTC to 2022-12-17 12:00:00 UTC.",
  "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc')]",
  "component": "Login activity",
  "anomalous_event_count": 115,
  "normal_traffic_volume": 0,
  "start_time": 1671274800000,
  "end_time": 1671278400000,
  "date": "2022-12-17",
  "severity": "critical",
  "index": "event-*",
  "impacted_user_count": 22,
  "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'],
  ['193.118.55.162', 100.0, 5, 0], ['103.153.190.238', 40.0, 2, 3], ['209.141.36.112', 100.0, 1, 0], 
  ['198.235.24.173', 100.0, 1, 0], ['140.213.15.89', 33.33, 1, 2], ['197.210.53.113', 33.33, 1, 2], 
  ['47.9.0.237', 25.0, 1, 3], ['164.100.133.253', 0.0, 0, 2], ['197.210.70.62', 0.0, 0, 1], 
  ['171.245.218.108', 0.0, 0, 1], ['116.50.59.204', 0.0, 0, 1], ['102.88.62.82', 0.0, 0, 1], 
  ['223.196.170.127', 0.0, 0, 2], ['180.247.45.59', 0.0, 0, 1], ['129.205.124.227', 0.0, 0, 7], 
  ['105.113.20.110', 0.0, 0, 2], ['213.55.85.89', 0.0, 0, 3], ['105.178.43.219', 0.0, 0, 7], 
  ['103.134.0.5', 0.0, 0, 1], ['103.28.246.254', 0.0, 0, 3], ['102.89.34.16', 0.0, 0, 4], 
  ['197.211.58.30', 0.0, 0, 5], ['121.101.133.181', 0.0, 0, 2]]",
  "anomalous_suspicious_ips": [
    "193.118.55.162", "103.153.190.238", "209.141.36.112",
    "198.235.24.173", "140.213.15.89", "197.210.53.113",
    "47.9.0.237", "164.100.133.253", "197.210.70.62",
    "171.245.218.108", "116.50.59.204", "102.88.62.82",
    "223.196.170.127", "180.247.45.59", "129.205.124.227",
    "105.113.20.110", "213.55.85.89", "105.178.43.219",
    "103.134.0.5", "103.28.246.254", "102.89.34.16",
    "197.211.58.30", "121.101.133.181"
  ],
  "compromised_users": "{'105.178.43.219': ['abcd@gmail.com'], '129.205.124.227': ['efgh@gmail.com'], '197.211.58.30': ['sam@GMAIL.COM'], '102.89.34.16': ['oda@gmail.com'], '103.153.190.238': ['juni@gmail.com'], '103.28.246.254': ['giri@outlook.com'], '213.55.85.89': ['nag@gmail.com'], '47.9.0.237': ['azam@gmail.com'], '105.113.20.110': ['oye@gmail.com'], '121.101.133.181': ['fahim@gmail.com'], '140.213.15.89': ['asda@gmail.com'], '164.100.133.253': ['bharg@tcs.com'], '197.210.53.113': ['luya@gmail.com'], '223.196.170.127': ['bhavya@kyndryl.com'], '102.88.62.82': ['mimi@gmail.com'], '103.134.0.5': ['leo@gmail.com'], '116.50.59.204': ['venkat@unilever.com'], '171.245.218.108': ['arush@gmail.com'], '180.247.45.59': ['sasds@gmail.com'], '197.210.70.62': ['chia@gmail.com']}",
  "xfe_threat_insight": "Found 23 known malicious IPs, having categories: bots: 22, c2server: 0, mw: 0, scanning: 2",
  "xfe_confirmed_malicious_ips": [
    "129.205.124.227", "116.50.59.204", "102.89.34.16",
    "193.118.55.162", "103.153.190.238", "180.247.45.59",
    "164.100.133.253", "197.210.70.62", "171.245.218.108",
    "198.235.24.173", "102.88.62.82", "213.55.85.89",
    "105.178.43.219", "103.134.0.5", "209.141.36.112",
    "103.28.246.254", "197.211.58.30", "47.9.0.237",
    "197.210.53.113", "223.196.170.127", "121.101.133.181",
    "105.113.20.110", "140.213.15.89"
  ],
  "top5_affected_event_type": "{'risk': 44, 'authentication': 36, 'sso': 31, 'management': 4}",
  "most_significant_event_type": [
    "risk",
    "authentication",
    "sso"
  ],
  "top5_affected_tenantname": "{'tenant1.abc.com': 92, 'tenant2.abc.com': 23}",
  "most_significant_tenantname": [
    "tenant1.abc.com"
  ],
  "top5_affected_data_subtype": "{'oidc': 23, 'user_password': 17, 'mfa': 11, 'saml': 8, 'token-exchange': 7}",
  "most_significant_data_subtype": [
    "oidc",
    "user_password",
    "mfa"
  ],
  "top5_affected_data_scope": "{'openid': 20, 'openid email': 2, 'openid profile': 1}",
  "most_significant_data_scope": [
    "openid"
  ],
  "top5_affected_data_cause": "{
    'Token Exchange Successful': 7, 
    \"CSIAC4610E Unable to retrieve the application's configuration for the Entity ID https://18.135.137.31/samlsp.em7?action=metadata because there is no match found.\": 5, 
    'Authenticated user \"pascal@gmail.com\" successfully.': 2, 
    'Authenticated user \"negu@gmail.com\" successfully.': 2, 
    'The system failed to authenticate user \"juni@gmail.com\" because of \"INVALID_CREDS\".': 2
  }",
  "most_significant_data_cause": [
    "Token Exchange Successful",
    "CSIAC4610E Unable to retrieve the application's configuration for the Entity ID https://18.135.137.31/samlsp.em7?action=metadata because there is no match found.",
    "Authenticated user \"pascal@gmail.com\" successfully."
  ],
  "top5_affected_data_sourcetype": "{'clouddirectory': 24, 'oidc': 7, 'saml': 1}",
  "most_significant_data_sourcetype": [
    "clouddirectory",
    "oidc"
  ],
  "top5_affected_data_providerid": "{'https://18.135.137.31/samlsp.em7?action=metadata': 5, 'https://18.135.144.228/samlsp.em7?action=metadata': 1, 'https://3.123.117.242/samlsp.em7?action=metadata': 1, 'https://tenant1.abc.com/saml/sps/saml20ip/saml20': 1, 'https://sso.everbridge.net/GNMManager': 1}",
  "most_significant_data_providerid": [
    "https://18.135.137.31/samlsp.em7?action=metadata",
    "https://18.135.144.228/samlsp.em7?action=metadata",
    "https://3.123.117.242/samlsp.em7?action=metadata"
  ],
  "top5_affected_data_grant_type": "{'authorization_code': 18, 'resource_owner': 7, 'implicit': 5}",
  "most_significant_data_grant_type": [
    "authorization_code",
    "resource_owner"
  ],
  "top5_affected_data_mfamethod": "{'Email OTP': 15}",
  "most_significant_data_mfamethod": [
    "Email OTP"
  ],
  "top5_affected_data_username": "{'aze@gmail.com': 16, 'pascal@gmail.com': 12, 'SAM@GMAIL.COM': 10, 'oda@gmail.com': 8, 'UNKNOWN': 7}",
  "most_significant_data_username": [
    "aze@gmail.com",
    "pascal@gmail.com",
    "SAM@GMAIL.COM",
    "oda@gmail.com"
  ],
  "top5_affected_geoip_country_name": "{'Nigeria': 46, 'India': 20, 'Indonesia': 20, 'Rwanda': 12, 'Netherlands': 5}",
  "most_significant_geoip_country_name": [
    "Nigeria",
    "India",
    "Indonesia"
  ]
}

Potential credential stuffing (PCS) attack

This alert indicates a potential credential stuffing attack. A sudden increase in username password failures was detected. The activity level is compared to the normal SSO behavior or Auth events in the last 14 days. The alert contains details on any rouge IP addresses that were found during the attack.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs
  • xfe_confirmed_malicious_ips - List of actionable IPs from which SSO, Authentication, or management events are found in the last 1 hour.
  • xfe_threat_insight - Categories associated with actionable IPs. For example, "Found 3 known malicious IPs, having categories: anons - 0, bots - 3, c2server - 0, mw - 0, scanning - 0."
  • suspicious_ips - List of actionable IPs found in the last hour along with fail %, # of success, and # of failed login events for each IP.
Identify the severity of the alert
  • Critical - If number of anomalous events are > max(5*normal_failure_count, 10000).
  • Warning - If number of anomalous events are between [min(3* normal traffic volume, 5000), Critical value].
Fetch more information on the cause of failures top5_affected_data_cause
Identify affected usernames top5_affected_data_username shows the top 5 accounts that are mostly used during the attack.
Identify if any account was accessed successfully from suspicious IPs compromised_users
Identify the affected application top5_affected_data_applicationname
Identify traffic volume normal_traffic_volume provides a baseline count based on the last 14 days of events that are compared with events in the last 1 hour. anomalous_event_count is the difference between total events in the last 1 hr and normal_traffic_volume.
Debug affected components during the attack or for operational issues The following attributes can be analyzed to get further context for the investigation:
  • most_significant_data_client_name
  • most_significant_data_providerid
  • most_significant_data_redirecturl
  • most_significant_data_scope
  • most_significant_data_subtype
  • most_significant_geoip_country_name
Note: The number of events for each of the values corresponding to the above attributes in their respective top5_affected_<FIELD NAME> attribute
Some known analysis patterns
  • Identify xfe_confirmed_malicious_ips list. If any IP is found in the category, it can be directly blocked or can be reported as an attack with high confidence.
  • Look at the statistics of IPs in suspicious_ips list.
    • If most of the failed events are from single IP and the remaining all have less number of failure events, then someone might have run a script or application by configuring a wrong username or password (Identify valid username(s) accessed from the IP). Also, look at the cause of failure and top5_affected_data_applicationname to see whether it is one of the known issues.
    • If multiple IPs have a significant failure count in the suspicious IP list, then it is highly likely to be an attack. Identify the top5_geoip_country_name in the alert and also the country and username distribution for the high failure suspicious IPs individually.
    • If failures are for a specific application, then it might be due to misconfiguration of the application. Check with the application owner.
  • For authentication events, if most failure causes have strings like INVALID_CREDS in them, then it might be an attack.
Possible remediation actions
  • If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
  • If confirmed as an attack, then block the IPs in anomalous_suspicious_ips attribute.
  • Accounts that were successfully logged in from suspicious IPs can potentially be compromised. The potentially compromised usernames corresponding to each suspicious IP can be found in compromised_users attribute. For compromised accounts, decide whether you want to reset the passwords or disable these accounts.
Sample alert
{
  "rule_id": "CREDENTIAL_STUFFING_SSO",
  "rule_name": "Potential credential stuffing attack (SSO)",
  "summary": "Potential credential stuffing attack (SSO): 31348 anomalous events are observed, beyond normal traffic volume, from 2022-11-23 17:00:00 UTC to 2022-11-23 18:00:00 UTC.",
  "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc'), ('tenantname', 'tenant1.abc.com'), ('data.result', 'failure')]",
  "component": "Login activity",
  "anomalous_event_count": 31348,
  "normal_traffic_volume": 1004,
  "start_time": 1669222800000,
  "end_time": 1669226400000,
  "date": "2022-11-23",
  "severity": "critical",
  "index": "event-sso-*",
  "impacted_user_count": 32090,
  "impacted_apps_count": 5,
  "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], 
  ['52.117.163.162', 98.72, 10517, 136], ['169.50.223.22', 98.53, 5502, 82], ['169.50.223.24', 98.42, 5431, 87], 
  ['169.59.129.120', 98.44, 5242, 83], ['169.59.129.116', 98.67, 5185, 70]]",
  "anomalous_suspicious_ips": [
    "169.50.223.22",
    "169.50.223.24",
    "169.59.129.116",
    "169.59.129.120",
    "52.117.163.162"
  ],
  "compromised_users": "{'52.117.163.162': ['Aroh@gmail.com', 'Carb@aol.com', 'Sha@gmail.com'], '169.50.223.24': ['Thar@univ.jfn.ac.lk', 'Tn@gmail.com', 'ain@gmail.com'], '169.59.129.120': ['IBM@mailinator.com', '118@umail.ucc.ie', '229@qq.com', '405@qq.com'], '169.50.223.22': ['IBM@mailinator.com', '4A8@stust.edu.tw', '4A8@stust.edu.tw'], '169.59.129.116': ['IBM@mailinator.com', '202@student.act.edu']}",
  "xfe_threat_insight": "Found 1 known malicious IPs, having categories: anonsvcs: 0, bots: 0, c2server: 0, mw: 1, scanning: 0.",
  "xfe_confirmed_malicious_ips": ['52.117.163.162'],
  ],
  "top5_affected_tenantname": "{'tenant1.abc.com': 32352}",
  "most_significant_tenantname": [
    "tenant1.abc.com"
  ],
  "top5_affected_data_subtype": "{'oidc': 32352}",
  "most_significant_data_subtype": [
    "oidc"
  ],
  "top5_affected_data_scope": "{'openid': 32352}",
  "most_significant_data_scope": [
    "openid"
  ],
  "top5_affected_data_cause": "{'CSIAQ0264E The user name or password is invalid.': 32321, 'CSIAQ0264E El nombre de usuario o la contraseña no es válido.': 12, 'CSIAQ0264E O nome do usuário ou a senha é inválida.': 9, 'CSIAQ0264E 用户名或密码无效。': 4, 'CSIAQ0264E 사용자 이름 또는 비밀번호가 올바르지 않습니다.': 2}",
  "most_significant_data_cause": [
    "CSIAQ0264E The user name or password is invalid."
  ],
  "top5_affected_data_applicationname": "{'urx_next': 31877, 'ABC_PROD_CLOUD': 347, 'ABC Cloud IAM production - global': 117, 'ABC Cloud IAM staging - global': 7, 'ABC Cloud IAM integrationtest': 4}",
  "most_significant_data_applicationname": [
    "urx_next"
  ],
  "top5_affected_data_client_name": "{'urx_next': 31877, 'ABC_PROD_CLOUD': 347, 'ABC Cloud IAM production - global': 117, 'ABC Cloud IAM staging - global': 7, 'ABC Cloud IAM integrationtest': 4}",
  "most_significant_data_client_name": [
    "urx_next"
  ],
  "top5_affected_data_redirecturl": "{'UNKNOWN': 32352}",
  "most_significant_data_redirecturl": [
    "UNKNOWN"
  ],
  "top5_affected_data_providerid": "{}",
  "most_significant_data_providerid": [],
  "top5_affected_data_username": "{'wsa@ibm.com': 319, 'arm@gmail.com': 17, 'armo@gmail.com': 9, '123@mail.ru': 6, 'e_epps@ymail.com': 6}",
  "most_significant_data_username": [
    "wsa@ibm.com"
  ],
  "top5_affected_geoip_country_name": "{'United States': 32334, 'Australia': 17, 'United Kingdom': 1}",
  "most_significant_geoip_country_name": [
    "United States"
  ]
}

Multiple failed login attempts from IP address

This alert indicates either a brute force or a credential stuffing attack. A sudden increase in failed logins from an IP address was detected. The activity level is compared to the normal SSO behavior or Auth events in the last 7 days.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs
  • xfe_confirmed_malicious_ips - List of actionable IPs from which SSO, Authentication, or management events are found in the last 1 hour.
  • xfe_threat_insight - Categories associated with actionable IPs. For example, "Found 3 known malicious IPs, having categories: anons - 0, bots - 3, c2server - 0, mw - 0, scanning - 0."
  • suspicious_ips - List of actionable IPs found in the last hour along with fail %, # of success, and # of failed login events for each IP.
Identify the severity of the alert
  • Critical - If number of anomalous events are > max(5*normal_failure_count, 5000).
  • Warning - if number of anomalous events are between [min(3* normal traffic volume, 500), Critical value].
Fetch information on the cause of failures top5_affected_data_cause helps determine whether failures are due to any operational issue.
Identify affected usernames top5_affected_data_username shows the top 5 accounts that are mostly used during the attack.
Identify if any account was accessed successfully from suspicious IPs compromised_users
Identify the affected application top5_affected_data_applicationname
Identify traffic volume normal_traffic_volume provides a baseline count based on the last 7 days of events that are compared with events in the last 1 hour. anomalous_event_count is the difference between total events in the last 1 hr and normal_traffic_volume.
Debug affected components during the attack or for operational issues The following attributes can be analyzed to get further context for the investigation:
  • most_significant_data_client_name
  • most_significant_data_providerid
  • most_significant_data_redirecturl
  • most_significant_data_scope
  • most_significant_data_subtype
  • most_significant_geoip_country_name
Note: The number of events for each of the values corresponding to the above attributes in their respective top5_affected_<FIELD NAME> attribute
In addition to the already mentioned investigation criteria and attributes, cross-verify the following details:
  • Sometimes, failure login is generated due to some operational issues. Identify if there are any known issues that can be causing these failures, resulting in an alert.
  • Identify if multiple usernames are used from the IP. If multiple usernames are used, then identify if it's VPN. If the IP address is not VPN, then it can be an attack.
Some known analysis patterns
  • Identify xfe_confirmed_malicious_ips list, if found positive, then block that IP.
  • Check for the number of Multiple Failed Login alerts that are generated in that hour then identify top5_affected_data_cause,top5_affected_data_applicationname, and top5_affected_data_username.
    • If the traffic is from a specific application and a specific user, then maybe someone configured the wrong username/password and ran a script for something. Confirm if it's legitimate traffic or not.
    • If the traffic is coming from multiple users - Block the IP (unless it is some VPN or proxy IP address). If the IP is VPN or proxy IP, then identify top5_affected_data_cause to determine whether it is due to any operational issues.
    • If multiple Alerts are found in one hour - Identify top5_affected_tenantname and top5_affected_data_username for each alert. If multiple IPs have the most failures for a single tenant and from multiple users, it can possibly be an attack or major application or system failure.
Possible remediation actions
  • If unsure whether it is an attack, monitor the traffic to determine whether failures are decreasing or increasing.
  • If confirmed as an attack, then block the IPs in anomalous_suspicious_ips attribute.
  • Accounts that were successfully logged in from suspicious IPs can potentially be compromised. The potentially compromised usernames corresponding to each suspicious IP can be found in compromised_users attribute. For compromised accounts, decide whether you want to reset the passwords or disable these accounts.
Sample alert
{
    "rule_id": "MULTIPLE_FAILED_LOGIN_AUTH",
    "rule_name": "Multiple failed login from an IP address (Auth)",
    "summary": "Multiple failed login from an IP address (Auth): 5597 anomalous events are observed, beyond normal traffic volume, from 2023-01-10 17:00:00 UTC to 2023-01-10 18:00:00 UTC.",
    "source": "[('data.origin', '165.155.173.54'), ('data.result', 'failure')]",
    "component": "Login activity",
    "anomalous_event_count": 5597,
    "normal_traffic_volume": 0,
    "start_time": 1673370000000,
    "end_time": 1673373600000,
    "date": "2023-01-10",
    "severity": "critical",
    "index": "event-authentication-*",
    "impacted_user_count": 17,
    "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], ['165.155.173.54', 98.45, 5597, 88]]",
    "anomalous_suspicious_ips": [
      "165.155.173.54"
    ],
    "compromised_users": "{'165.155.173.54': ['serafina', 'alessi', 'donyg', 'evanb', 'joelr', 'taqb', 'anthony', 'heaven', 'jenny', 'jessica']}",
    "xfe_threat_insight": "Found 0 known malicious IPs.",
    "xfe_confirmed_malicious_ips": [],
    ],
    "top5_affected_tenantname": "{'tenant1.abc.com': 5593, 'tenant2.abc.com': 4}",
    "most_significant_tenantname": [
      "idpcloud.nycenet.edu"
    ],
    "top5_affected_data_subtype": "{'user_password': 5596, 'mfa': 1}",
    "most_significant_data_subtype": [
      "user_password"
    ],
    "top5_affected_data_scope": "{}",
    "most_significant_data_scope": [],
    "top5_affected_data_cause": "{'The system failed to authenticate user \"aariz\" because of \"INVALID_CREDS\".': 5579, 
    'The system failed to authenticate user \"anthony\" because of \"INVALID_CREDS\".': 2, 
    'The system failed to authenticate user \"mtorr\" because of \"INVALID_CREDS\".': 2, 
    'CSIAH2417E The one-time password that you submitted was invalid. Submit a valid one-time password.': 1, 
    'The system failed to authenticate user \"aless\" because of \"INVALID_CREDS\".': 1}",
    "most_significant_data_cause": [
      "The system failed to authenticate user \"aari\" because of \"INVALID_CREDS\"."
    ],
    "top5_affected_data_sourcetype": "{'clouddirectory': 5596}",
    "most_significant_data_sourcetype": [
      "clouddirectory"
    ],
    "top5_affected_data_providerid": "{}",
    "most_significant_data_providerid": [],
    "top5_affected_data_grant_type": "{}",
    "most_significant_data_grant_type": [],
    "top5_affected_data_mfamethod": "{'SMS OTP': 1}",
    "most_significant_data_mfamethod": [
      "SMS OTP"
    ],
    "top5_affected_data_username": "{'aari': 5579, 'anthony': 2, 'mtor': 2, 'ANor': 1, 'aless': 1}",
    "most_significant_data_username": [
      "aari"
    ],
    "top5_affected_geoip_country_name": "{'United States': 5597}",
    "most_significant_geoip_country_name": [
      "United States"
    ]
}

Abnormal number of failed SSO/Authentication events observed per tenant

This alert indicates either a brute force or credential stuffing attack, or operational issues.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the list of suspicious IPs and validate whether any login requests were successful from these IPs
  • xfe_confirmed_malicious_ips - List of actionable IPs from which SSO, Authentication, or management events are found in the last 1 hour.
  • xfe_threat_insight - Categories associated with actionable IPs. For example, "Found 3 known malicious IPs, having categories: anons - 0, bots - 3, c2server - 0, mw - 0, scanning - 0."
  • suspicious_ips - List of actionable IPs found in the last hour along with fail %, # of success, and # of failed login events for each IP.
Identify the severity of the alert
  • Critical - If number of anomalous events are > max(5*normal_failure_count, 10000).
  • Warning - If number of anomalous events are between [min(3* normal traffic volume, 5000), Critical value].
Fetch information on the cause of failures top5_affected_data_cause helps determine whether failures are due to any operational issue.
Identify affected usernames top5_affected_data_username shows the top 5 accounts that are mostly used during the attack.
Identify the affected application top5_affected_data_applicationname
Identify traffic volume normal_traffic_volume provides a baseline count based on the last 14 days of events that are compared with events in the last 1 hour. anomalous_event_count is the difference between total events in the last 1 hr and normal_traffic_volume.
Debug affected components during the attack or for operational issues The following attributes can be analyzed to get further context for the investigation:
  • most_significant_data_client_name
  • most_significant_data_providerid
  • most_significant_data_redirecturl
  • most_significant_data_scope
  • most_significant_data_subtype
  • most_significant_geoip_country_name
Note: The number of events for each of the values corresponding to the above attributes in their respective top5_affected_<FIELD NAME> attribute
In addition to the already mentioned investigation criteria and attributes, cross-verify the following details:
  • Sometimes, failure login events are generated due to some operational issues.
    • Identify if there is any known issue that might be causing these failures resulting in an alert.
    • Identify if there are any other alerts generated indicating an attack such as Multiple failed login attempts from IP address (or) Potential credential stuffing attack.
Possible remediation actions
  • If unsure whether it is an attack, monitor the traffic to determine whether failures are decreasing or increasing.
  • If confirmed as an attack, then block the IPs in anomalous_suspicious_ips attribute.
  • Accounts that were successfully logged in from suspicious IPs can potentially be compromised. The potentially compromised usernames corresponding to each suspicious IP can be found in compromised_users attribute. For compromised accounts, decide whether you want to reset the passwords or disable these accounts.
Sample alert
{
    "rule_id": "TENANT_FAILED_SSO_EVENTS",
    "rule_name": "Abnormal number of failed SSO events observed per tenant.",
    "summary": "Abnormal number of failed SSO events observed per tenant.: 24456 anomalous events are observed, beyond normal traffic volume, from 2022-12-19 10:00:00 UTC to 2022-12-19 11:00:00 UTC.",
    "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc'), ('tenantname', 'tenant1.abc.com'), ('data.result', 'failure')]",
    "component": "Login activity",
    "anomalous_event_count": 24456,
    "normal_traffic_volume": 711,
    "start_time": 1671444000000,
    "end_time": 1671447600000,
    "date": "2022-12-19",
    "severity": "critical",
    "index": "event-sso-*",
    "impacted_user_count": 88,
    "impacted_apps_count": 37,
    "suspicious_ips": "[['ip', 'fail_percentage', 'failure_count', 'success_count'], 
    ['177.241.73.204', 100.0, 24777, 0], ['129.42.21.2', 100.0, 26, 0], ['129.42.18.2', 100.0, 24, 0], 
    ['129.42.19.2', 100.0, 24, 0], ['89.64.54.76', 100.0, 19, 0], ['52.116.134.146', 100.0, 12, 0], 
    ['122.161.79.4', 100.0, 11, 0]]",
    "anomalous_suspicious_ips": [
      "122.161.79.4",
      "177.241.73.204",
      "89.64.54.76"
    ],
    "xfe_threat_insight": "Found 1 known malicious IPs, having categories: anonsvcs: 0, bots: 1, c2server: 0, mw: 0, scanning: 0`",
    "xfe_confirmed_malicious_ips": ['122.161.79.4'],
    ],
    "top5_affected_tenantname": "{'tenant1.abc.com': 25167}",
    "most_significant_tenantname": [
      "tenant1.abc.com"
    ],
    "top5_affected_data_subtype": "{'oidc': 25167}",
    "most_significant_data_subtype": [
      "oidc"
    ],
    "top5_affected_data_scope": "{'openid email': 24790, 'openid': 259, 'openid profile': 2, 'openid profile email': 1}",
    "most_significant_data_scope": [
      "openid email"
    ],
    "top5_affected_data_cause": "{'CSIAQ0178E Login is required. The request cannot be processed without authentication.': 24777, 
    'CSIAQ0278E User is not authorized to access the application due to policy constraints.': 150, 
    'CSIAQ0158E The [authorization_grant] of type [authorization_code] does not exist or is invalid.': 70, 
    'CSIAQ0158E The [authorization_grant] of type [refresh_token] does not exist or is invalid.': 31, 
    'CSIAQ0158E タイプ [refresh_token] の [authorization_grant] は存在しないか無効です。': 13}",
    "most_significant_data_cause": [
      "CSIAQ0178E Login is required. The request cannot be processed without authentication."
    ],
    "top5_affected_data_applicationname": "{'Gaz-HAT-Production': 24777, 'abc-refresh-service-prod': 107, 'ABCProductionOIDC': 72, 'ABC Publisher': 63, 'FastPassPRDClient': 30}",
    "most_significant_data_applicationname": [
      "Gaz-HAT-Production"
    ],
    "top5_affected_data_client_name": "{'ABC-HAT-Production': 24777, 'ABCrefresh-service-prod': 107, 'ABCProductionOIDC': 72, 'abc Publisher': 63, 'abcFastPassPRDClient': 30}",
    "most_significant_data_client_name": [
      "Gaz-HAT-Production"
    ],
    "top5_affected_data_redirecturl": "{'https://gaz.tuc.stglabs.ibm.com/oidc/callback/': 24777, 'https://w3-authorization-service.us-south-k8s.intranet.ibm.com/sso/callback': 88, 'https://w3.ibm.com/w3publisher/redirect.html': 63, 'UNKNOWN': 50, 'https://fastpass.w3cloud.ibm.com:443/oidcclient/redirect/FastPassPRDClient': 30}",
    "most_significant_data_redirecturl": [
      "https://gaz.tuc.stglabs.ibm.com/oidc/callback/"
    ],
    "top5_affected_data_providerid": "{}",
    "most_significant_data_providerid": [],
    "top5_affected_data_username": "{'UNKNOWN': 24978, 'katar@ocean.ibm.com': 19, 'Jaya@ocean.ibm.com': 17, 'shiv@ocean.ibm.com': 11, 'Neha@ocean.ibm.com': 10}",
    "most_significant_data_username": [
      "UNKNOWN"
    ],
    "top5_affected_geoip_country_name": "{'Mexico': 24777, 'United States': 192, 'India': 84, 'Poland': 26, 'Japan': 22}",
    "most_significant_geoip_country_name": [
      "Mexico"
    ]
}

Frequent authentication from a single user

This alert indicates either a brute force or credential stuffing attack, or operational issues.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the severity of the alert
  • Critical - If number of anomalous events are > max(5*normal_failure_count, 10000).
  • Warning - If number of anomalous events are between [min(3* normal traffic volume, 5000), Critical value].
Identify affected usernames top5_affected_data_username shows the top 5 accounts that are mostly used during the attack.
Identify the affected application top5_affected_data_applicationname
Identify traffic volume normal_traffic_volume provides a baseline count based on the last 7 days of events that are compared with events in the last 1 hour. anomalous_event_count is the difference between total events in the last 1 hr and normal_traffic_volume.
Debug affected components during the attack or for operational issues The following attributes can be analyzed to get further context for the investigation:
  • most_significant_data_client_name
  • most_significant_data_providerid
  • most_significant_data_redirecturl
  • most_significant_data_scope
  • most_significant_data_subtype
  • most_significant_geoip_country_name
Note: The number of events for each of the values corresponding to the above attributes in their respective top5_affected_<FIELD NAME> attribute
In addition to the already mentioned investigation criteria and attributes, cross-verify the following details:
  • Sometimes, frequent authentication might be due to the misconfiguration of the app. Identify if there is any known issue that might be causing these failures resulting in an alert.
Some known analysis patterns
  • Identify if multiple alerts are coming in the same interval for a single tenant. If yes, then check for any known operational issue for the tenant, otherwise look at the top5_affected_data_applicationname attribute to identify the application responsible for generating the alert.
  • If the alert is being generated from the same source (that is, same tenant URL and username) for multiple hours, the user can be blocked for some duration (For example, 24 hrs).
  • Look for IP address and application-name distribution to identify if it's a distributed attack.
Possible remediation actions
  • If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
  • If traffic is identified as suspicious, then block the account for which the alert is generated as proactive remediation.
Sample alert
{
    "rule_id": "FREQUENT_AUTH_SINGLEUSER_AUTH",
    "rule_name": "Frequent authentication from single user (Auth)",
    "summary": "Frequent authentication from single user (Auth): 16283 anomalous events are observed, beyond normal traffic volume, from 2022-12-26 10:00:00 UTC to 2022-12-26 11:00:00 UTC.",
    "source": "[('tenantid', '874f131f-79a9-4581-b078-de7681091fbc'), ('data.username', 'MSurk'), ('data.result', 'success')]",
    "component": "Login activity",
    "anomalous_event_count": 16283,
    "normal_traffic_volume": 0,
    "start_time": 1672048800000,
    "end_time": 1672052400000,
    "date": "2022-12-26",
    "severity": "critical",
    "index": "event-authentication-*",
    "impacted_user_count": 1,
    "anomalous_suspicious_ips": [
      "12.153.148.57"
    ],
    "top5_affected_tenantname": "{'tenant1.abc.com': 16283}",
    "most_significant_tenantname": [
      "tenant1.abc.com"
    ],
    "top5_affected_data_cause": "{'Authenticated user \"MSurk\" successfully.': 16283}",
    "most_significant_data_cause": [
      "Authenticated user \"MSurk\" successfully."
    ],
    "top5_affected_data_subtype": "{'user_password': 16283}",
    "most_significant_data_subtype": [
      "user_password"
    ],
    "top5_affected_data_scope": "{}",
    "most_significant_data_scope": [],
    "top5_affected_data_sourcetype": "{'clouddirectory': 16283}",
    "most_significant_data_sourcetype": [
      "clouddirectory"
    ],
    "top5_affected_data_origin": "{'12.153.148.57': 16283}",
    "most_significant_data_origin": [
      "12.153.148.57"
    ],
    "top5_affected_data_providerid": "{}",
    "most_significant_data_providerid": [],
    "top5_affected_data_grant_type": "{}",
    "most_significant_data_grant_type": [],
    "top5_affected_data_mfamethod": "{}",
    "most_significant_data_mfamethod": [],
    "top5_affected_data_username": "{'MSurk': 16283}",
    "most_significant_data_username": [
      "MSurk"
    ],
    "top5_affected_geoip_country_name": "{'United States': 16283}",
    "most_significant_geoip_country_name": [
      "United States"
    ]
}

Abnormal number of MFA device enrollements

This alert indicates a brute force attack.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the severity of the alert
  • Critical - If number of unique MFA devices per user are > 20.
  • Warning - If number of unique MFA devices per user are between [8, 20].
Identify the most used mfamethod in the last 1 hour top5_affected_data_mfamethod
Some known analysis patterns
  • This alert is generated on management events. If any alert is found, then look whether it is from a valid user or not. If the user is valid, then identify the type of authentication (top5_affected_data_mfamethod) and the number of devices enrolled (anomalous_event_count). Take action if found suspicious.
Possible remediation actions
  • If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
  • If traffic is identified as suspicious, then block the account for which the alert is generated as proactive remediation.
Sample alert
{
    "rule_name": "Abnormal number of device enrollments",
    "rule_id": "ABNORMAL_DEVICE_ENROLLMENT",
    "summary": "Abnormal number of device enrollments: 20 anomalous events are observed, beyond normal traffic volume, from 2023-01-12 17:00:00 UTC to 2023-01-12 18:00:00 UTC.",
    "severity": "critical",
    "date": "2023-01-12",
    "start_time": "2023-01-12 17:00:00",
    "end_time": "2023-01-12 18:00:00",
    "component": "Login activity",
    "normal_traffic_volume": 0,
    "anomalous_event_count": 20,
    "impacted_user_count": 1,
    "index": "event-management-*",
    "most_significant_data_origin": [
      "129.41.58.3"
    ],
    "top5_affected_data_username": "{'Henry': 20}",
    "source": "[('data.mfamethod', 'Voice OTP'), ('data.username', 'Henry')]",
    "most_significant_data_mfamethod": [
      "Voice OTP"
    ],
    "most_significant_geoip_country_name": [
      "United States"
    ],
    "most_significant_data_grant_type": [],
    "top5_affected_tenantname": "{'tenant1.abc.com': 20}",
    ],
    "most_significant_tenantname": [
      "tenant1.abc.com"
    ],
    "top5_affected_data_origin": "{'129.41.58.3': 20}",
    "anomalous_suspicious_ips": [
      "129.41.58.3"
    ],
    "top5_affected_geoip_country_name": "{'United States': 20}",
    "top5_affected_data_grant_type": "{}",
    "top5_affected_data_mfamethod": "{'Voice OTP': 20}",
    "most_significant_data_username": [
      "Henry"
    ]
}

Multiple use of compromised credentials

This alert indicates account takeover, brute force, credential stuffing.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the severity of the alert
  • Critical - If number of unique users using compromised passwords per IP are > 500.
  • Warning - If number of unique users using compromised passwords per IP are between [50, 500].
Identify the IP address trying to use the compromised credentials In source attribute.
Identify affected usernames top5_affected_data_username shows the top 5 accounts that are mostly used during the attack.
Identify traffic volume normal_traffic_volume provides a baseline count based on the last 7 days of events that are compared with events in the last 1 hour. anomalous_event_count is the difference between total events in the last 1 hr and normal_traffic_volume.
Debug affected components during the attack or for operational issues The following attributes can be analyzed to get further context for the investigation:
  • most_significant_data_sourcetype
  • most_significant_data_providerid
  • most_significant_data_scope
  • most_significant_data_subtype
  • most_significant_geoip_country_name
Note: The number of events for each of the values corresponding to the above attributes in their respective top5_affected_<FIELD NAME> attribute
Some known analysis patterns
  • Identify whether the IP is trying to access multiple users using the compromised credentials form top5_affected_data_username attribute. If yes, then the IP can be blocked for some duration.
  • If multiple alerts were found from multiple IPs in an hour or same IP was detected by Multiple_failed_login or credential_stuffing rule, then it might be a brute force attack or credential stuffing.
Possible remediation actions
  • If unsure whether it is an attack, monitor the traffic. Determine whether traffic with a username or a password failure is increasing.
  • If some user accounts were successfully accessed during the attack duration from the same IP, logout the user from all active sessions and prompt for password change, or temporarily block user as proactive remediation.
  • If multiple users are getting accessed from the IP with compromised credentials, block the IP in the source attribute.
Sample alert
{
    "rule_id": "COMPROMISED_CREDENTIALS",
    "rule_name": "Multiple use of compromised credentials",
    "summary": "Multiple use of compromised credentials: 100 anomalous events are observed, beyond normal traffic volume, from 2023-02-08 21:00:00 UTC to 2023-02-08 22:00:00 UTC.",
    "source": "[('data.origin', '129.41.58.3'), ('data.dict_type', 'GLOBAL')]",
    "component": "Login activity",
    "severity": "critical",
    "impacted_user_count": 1,
    "anomalous_event_count": 100,
    "normal_traffic_volume": 0,
    "date": "2023-02-08",
    "top5_affected_data_scope": "{}",
    "rule_attribute": "compromised_credentials",
    "top5_affected_data_username": "{'Henry': 100}",
    "start_time": "2023-02-08 21:00:00",
    "end_time": "2023-02-08 22:00:00",
    "index": "event-authentication-*",
    "most_significant_data_mfamethod": [],
    "most_significant_geoip_country_name": [
        "United States"
    ],
    "most_significant_data_grant_type": [],
    "top5_affected_tenantname": "{'tenant1.abc.com': 100}",
    "top5_affected_data_providerid": "{}",
    ],
    "most_significant_tenantname": [
        "tenant1.abc.com"
    ],
    "most_significant_data_sourcetype": [
        "clouddirectory"
    ],
    "most_significant_data_scope": [],
    ],
    "top5_affected_data_subtype": "{'user_password': 100}",
    "most_significant_data_subtype": [
        "user_password"
    ],
    "most_significant_data_providerid": [],
    "top5_affected_geoip_country_name": "{'United States': 100}",
    "top5_affected_data_grant_type": "{}",
    "top5_affected_data_mfamethod": "{}",
    "top5_affected_data_sourcetype": "{'clouddirectory': 100}",
    "most_significant_data_username": [
        "Henry"
    ]
}

Grouping by cause of failure

This alert indicates operational issues.

Investigation
Analyze the traffic to understand if it can be a real attack or not and if any remediation action is needed. Refer to the following details to gain more knowledge about the involved criteria and the attributes. Based on the provided context, determine whether it can be a real attack or not.
Investigation criteria Attributes
Identify the affected tenant URL top5_affected_tenantname
Identify the severity of the alert
  • Critical - If number of anomalous events are > max(5*normal_failure_count, 10000).
  • Warning - if number of anomalous events are between [min(3* normal traffic volume, 5000), Critical value].
Identify affected usernames top5_affected_data_username
Identify traffic volume normal_traffic_volume provides a baseline count based on the last 7 days of events that are compared with events in the last 1 hour. anomalous_event_count is the difference between total events in the last 1 hr and normal_traffic_volume.
Debug affected components during the attack or for operational issues The following attributes can be analyzed to get further context for the investigation:
  • most_significant_data_client_name
  • most_significant_data_providerid
  • most_significant_data_redirecturl
  • most_significant_data_scope
  • most_significant_data_subtype
  • most_significant_geoip_country_name
Note: The number of events for each of the values corresponding to the above attributes in their respective top5_affected_<FIELD NAME> attribute
Identify the affected application and type of issue From top5_affected_data_applicationname and the summary attributes.
Possible remediation actions
  • Based on the operational issue, it might require configuration changes on the Verify admin console or the help of Verify Support team.
Sample alert
{
    "rule_id": "CAUSE_OF_SSO_FAILURE",
    "rule_name": "Grouping by the cause of failure (SSO)",
    "summary": "Grouping by the cause of failure (SSO): 11314 anomalous events are observed, beyond normal traffic volume, from 2023-01-18 15:00:00 UTC to 2023-01-18 16:00:00 UTC.",
    "source": "[('data.cause', 'CSIAC5061E An unexpected error has occurred with a protocol module com.tivoli.am.fim.fedmgr2.protocol.GenericPocAuthenticationDelegateProtocol.'), ('data.result', 'failure')]",
    "component": "Login activity",
    "anomalous_event_count": 11314,
    "normal_traffic_volume": 1595,
    "start_time": 1674054000000,
    "end_time": 1674057600000,
    "date": "2023-01-18",
    "severity": "critical",
    "index": "event-sso-*",
    "impacted_user_count": 7774,
    "impacted_apps_count": 20,
    ],
    "top5_affected_tenantname": "{'tenant1.abc.com': 11057, 'tenant2.abc.com': 1852}",
    "most_significant_tenantname": [
      "tenant1.abc.com"
    ],
    "top5_affected_data_subtype": "{'saml': 12420, 'WS-Fed': 489}",
    "most_significant_data_subtype": [
      "saml"
    ],
    "top5_affected_data_scope": "{}",
    "most_significant_data_scope": [],
    "top5_affected_data_cause": "{'CSIAC5061E An unexpected error has occurred with a protocol module com.tivoli.am.fim.fedmgr2.protocol.GenericPocAuthenticationDelegateProtocol.': 12909}",
    "most_significant_data_cause": [
      "CSIAC5061E An unexpected error has occurred with a protocol module com.tivoli.am.fim.fedmgr2.protocol.GenericPocAuthenticationDelegateProtocol."
    ],
    "top5_affected_data_applicationname": "{'ABC-365': 320, 'Google.com': 67}",
    "most_significant_data_applicationname": [
      "ABC-365"
    ],
    "top5_affected_data_client_name": "{}",
    "most_significant_data_client_name": [],
    "top5_affected_data_redirecturl": "{}",
    "most_significant_data_redirecturl": [],
    "top5_affected_data_providerid": "{'UNKNOWN': 12472, 'urn:federation:MicrosoftOnline': 323}",
    "most_significant_data_providerid": [
      "UNKNOWN"
    ],
    "top5_affected_data_username": "{'UNKNOWN': 86, 'jer@abc.com': 60, 'crow@abc.com': 31, 'julia': 20, 'Bryan': 11}",
    "most_significant_data_username": [
      "UNKNOWN",
      "jer@abc.com",
      "crow@abc.com"
    ],
    "top5_affected_geoip_country_name": "{'United States': 12295, 'India': 178, 'Canada': 84, 'United Kingdom': 72, 'Mexico': 36}",
    "most_significant_geoip_country_name": [
      "United States"
    ]
}
Note: For more information about the audit events, see Threat event payload.

For more information about threat detection, see Threat Detection in Verify.