VPN login Brute-Force attempt

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-05-13

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: Palo Alto Networks Global Protect OR Third-Party VPNs
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Credential Access (TA0006) Resource Development (TA0042)
ATT&CK Technique	Brute Force (T1110) Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
Severity	Informational

A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.

An attacker attempts to gain access to the account.

Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials.
Analyze login patterns for abnormal times, locations, or IPs for suspicious activity.
Look for VPN login attempts from countries where the organization does not typically operate.
Cross-reference the IP addresses with threat intelligence sources.
Follow further actions taken by the account.

VPN Login Brute Force

ATT&CK Tactic

ATT&CK Technique

Severity

Low

A user account failed to log in to a VPN service multiple times in a short time period. This may indicate a brute-force attack.

An attacker attempts to gain access to the account.

Verify successful connections by the user account, as these can indicate the attacker managed to guess the credentials.
Analyze login patterns for abnormal times, locations, or IPs for suspicious activity.
Look for VPN login attempts from countries where the organization does not typically operate.
Cross-reference the IP addresses with threat intelligence sources.
Follow further actions taken by the account.