Many Login Failure Then Login Success

12/13/22, 2:50 PM Offense
Offense 572
Magnitude Status Relevance 7 Severity 5 Credibility 2

Login Failures Followed By Success to the same Destination IP
preceded by Multiple Login Failures for the Same User Offense Type Destination IP
Description preceded by Multiple Login Failures to the Same Destination
preceded by Multiple Login Failures from the Same Source Event/Flow count 88,059 events and 0 flows in 8 categories
containing User Login Success
Source IP(s) Multiple (58) Start Dec 6, 2022, 6:55:26 AM
Destination IP(s) 10.10.80.2 Duration 7d 7h 42m 1s
Network(s) Air-Gapped.Branches Assigned to Unassigned
Offense Source Summary
IP 10.10.80.2 Location Air-Gapped.Branches
Magnitude Vulnerabilities 0
Username Unknown MAC Address Unknown NIC
Host Name Unknown
Asset Name Unknown Asset Weight 0
Chained No
Offenses 29 Events/Flows 234,908
Last 5 Notes
Notes Username Creation Date
No results were returned.
Last 5 Search Results
Magnitude Started On Ended On Duration Events/Flows
Top 5 Source IPs

Last
Source IP Magnitude Location Vulnerability User MAC Weight Offenses Destination(s) Events/Flows
Event/Flow
Unknown
10.10.30.84 Air-Gapped.Branches No Unknown 0 6 2 2h 37m 15s 65,842,644
NIC
Unknown
10.10.80.6 Air-Gapped.Branches No Unknown 0 6 3 54m 29s 1,679
NIC
Unknown
10.10.81.40 Air-Gapped.Branches No Unknown 0 5 38 13m 39s 7,741
NIC
Unknown
10.10.50.3 Air-Gapped.Branches No Unknown 0 4 1 7h 19m 12s 29
NIC
Unknown
10.10.80.10 Air-Gapped.Branches No Unknown 0 13 43 0s 1,330,909
NIC
https://10.10.30.84/console/qradar/jsp/QRadar.jsp 1/3
12/13/22, 2:50 PM Offense
Top 5 Destination IPs

Last
Destination IP Magnitude Location Vulnerability Chained User MAC Weight Offenses Source(s) Events/Flows
Event/Flow
Air- Unknown
10.10.80.2 No No Unknown 0 29 58 0s 234,908
Gapped.Branches NIC
Top 5 Log Sources
Name Description Group Events Offenses Total Events

HQ-AD 86,571 54 231,622
Custom Rule Engine-8 :: Qradar Custom Rule Engine 1,488 635 47,707
Top 5 Users
Name Events/Flows Offenses Total Events/Flows

Administrator 5,213 11 72,180
logrhythm 3,680 2 8,290
Logrhythm 3,680 4 3,842
u21c0706 1,631 4 4,071
U21M0108 255 4 1,424
Top 5 Categories
Name Magnitude Local Destination Count Events/Flows First Event/Flow Last Event/Flow
Misc Login Failed 1 848 Dec 6, 2022, 6:55:26 AM Dec 13, 2022, 2:31:42 PM
User Login Failure 1 144 Dec 6, 2022, 7:39:59 AM Dec 13, 2022, 2:17:07 PM
User Login Success 1 29,239 Dec 6, 2022, 6:55:26 AM Dec 13, 2022, 2:37:27 PM
General Authentication Failed 1 45,433 Dec 6, 2022, 6:55:26 AM Dec 13, 2022, 2:31:31 PM
Admin Login Successful 1 8,145 Dec 6, 2022, 6:55:47 AM Dec 13, 2022, 2:36:44 PM
Last 10 Events
Event Name Magnitude Log Source Category Destination Destination IPv6 Dst Port Time
Success Audit: An account was User Login Dec 13, 2022,
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
succes... Success 2:35:39 PM
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
Success Audit: Successful Admin Login Dec 13, 2022,
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
logon with... Successful 2:36:44 PM
Success Audit: Successful Admin Login Dec 13, 2022,
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
logon with... Successful 2:36:33 PM
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
HQ-AD 10.10.80.2 0:0:0:0:0:0:0:0 0
Last 10 Flows
Application Source IP Source IPv6 Source Port Destination IP Destination IPv6 Destination Port Total Bytes Last Packet Time
12/13/22, 2:50 PM Offense
Top 5 Annotations
Annotation Time Weight

Dec 6, 2022,
"Offense Chaining". This offense has 1 destinations (destination IPs), which are the source (attacker)in other offenses 7
6:55:55 AM
"CRE Event". CRE Rule description: [Login Failures Followed By Success to the same Destination IP] Detected several authentication failures to a single Dec 13, 2022,
6
destination followed by a successful login. 6:58:04 AM
Dec 13, 2022,
"CRE Event". CRE Rule description: [Multiple Login Failures to the Same Destination] Detected authentication failures (more than 10) to the same destination IP. 6
6:58:04 AM
"CRE Event". CRE Rule description: [Multiple Login Failures from the Same Source] Detected authentication failures on the same source IP address with different Dec 13, 2022,
6
user names more than 10 times in 5 minutes. 6:58:04 AM
"CRE Event". CRE Rule description: [Authentication: Repeat Windows Login Failures] Reports when a source IP address causes an authentication failure event at Dec 13, 2022,
6
least 9 times to a single Windows host within 5 minutes. 7:00:04 AM

Many Login Failure Then Login Success

Uploaded by

Copyright:

Available Formats

You might also like

Many Login Failure Then Login Success

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Many Login Failure Then Login Success

Uploaded by

Copyright:

Available Formats

12/13/22, 2:50 PM Offense

Magnitude Status Relevance 7 Severity 5 Credibility 2

Destination IP(s) 10.10.80.2 Duration 7d 7h 42m 1s

Network(s) Air-Gapped.Branches Assigned to Unassigned

Offense Source Summary

IP 10.10.80.2 Location Air-Gapped.Branches

Username Unknown MAC Address Unknown NIC

Host Name Unknown

Asset Name Unknown Asset Weight 0

Offenses 29 Events/Flows 234,908

Notes Username Creation Date

No results were returned.

Last 5 Search Results

Magnitude Started On Ended On Duration Events/Flows

No results were returned.

Top 5 Source IPs

Top 5 Destination IPs

Top 5 Log Sources

Name Description Group Events Offenses Total Events

Name Events/Flows Offenses Total Events/Flows

No results were returned.

Annotation Time Weight

You might also like