VPN Login Password Spray

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-03-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Global Protect
      OR
    • Third-Party VPNs

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Informational

Description

An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack.
  • Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors).
  • Review the geographic regions behind the failed login attempts.
  • Investigate if a successful login was made after unsuccessful attempts.
  • Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.

Variations

Successful VPN Password Spray Threat Detected with unusual characteristics

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack.
  • Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors).
  • Review the geographic regions behind the failed login attempts.
  • Investigate if a successful login was made after unsuccessful attempts.
  • Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.


VPN login password spray with unusual characteristics

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

An abnormally high number of users failed to log in to a VPN service from an IP address within a short period of time. This may indicate a password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Analyze the time intervals between login attempts to check for patterns indicative of a password spraying attack.
  • Investigate the cause of the login failures (e.g. incorrect passwords, account lockouts, other factors).
  • Review the geographic regions behind the failed login attempts.
  • Investigate if a successful login was made after unsuccessful attempts.
  • Cross-reference the IP address with threat intelligence sources to see if it is associated with known malicious activity.