Scribd
Upload
14 views1 page

MDR - Alert Detail 8

On October 21, 2024, a suspicious event was detected involving multiple failed authentication attempts from the IP address 94.232.47.47 on the firewall FW-FG-BinhDinh-Hatchery. The incident suggests a potential password cracking attempt, prompting an investigation into whether the source IP is internal or external. Recommendations include verifying with the firewall admin and potentially setting up access control lists for authorized IPs if the source is deemed suspicious.

Uploaded by

phanmystates
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views1 page

MDR - Alert Detail 8

On October 21, 2024, a suspicious event was detected involving multiple failed authentication attempts from the IP address 94.232.47.47 on the firewall FW-FG-BinhDinh-Hatchery. The incident suggests a potential password cracking attempt, prompting an investigation into whether the source IP is internal or external. Recommendations include verifying with the firewall admin and potentially setting up access control lists for authorized IPs if the source is deemed suspicious.

Uploaded by

phanmystates
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 1

CPFI 0 0

Firewall Authentication - Actions


CPFI / Detail / 79891

Multiple Fail (Many Accounts from 1


Source)

Timeline

Occurred 2024-10-21T04:31:29+07:00

Detected 2024-10-21T04:46:30+07:00

Notified 2024-10-21T04:50:24+07:00

Closed N/A

Details

Owner

Notification Time 2024-10-21T04:50:24+07:00

Priority Medium

Severity Medium

Urgency Medium

Elapsed time to notified (h:m:s) 0:03:54

Close information

SUMMARY:
Event Summary & Recommendation
21/10/2024 04:31:29+07, TDG SIEM has identified an event from the firewall FW-FG-BinhDinh-Hatchery that has the events related to the use case name: "Firewall Authentication - Multiple
Fail (Many Account from 1 Source)"

We found several failed authentications from a source IP: 94.232.47.47.


For more detail please verify the SIEM Data table

This alert informs you about suspicious activities that point to an attempt to crack the password. And we would like you to investigate further whether the source IP is an internal network IP. So,
please verify the activities by questioning to Firewall system admin, such as
- Has he been familiar with the username and source IP?
- Has you made the ACL for authorized IPs to access the firewall console?
Suppose he admits to one of the questions. So, you can close this case and select "Normal" for the close reason.
If a firewall admin is unfamiliar with the source IP or the firewall was authenticated from a public IP. For remediation, we recommend you set up the ACL for firewall console access.

Evidence notes 0

Incident Data
Key Value

Case URL https://mdr.truedigital.com/alert/CPFI_79891

Name Firewall Authentication - Multiple Fail (Many Accounts from 1 Source)

Cateogry Suspicious Activity

Occurred (UTC) 2024-10-20T21:31:29+00:00

Occurred (Asia/Ho_Chi_Minh) 2024-10-21T04:31:29+07:00

Created (UTC) 2024-10-20T21:46:30+00:00

Created (Asia/Ho_Chi_Minh) 2024-10-21T04:46:30+07:00

Priority Medium

Severity Medium

Urgency Medium

sourceips ['94.232.47.47']

hostnames ['fw-fg-binhdinh-hatchery']

dbotscore 2

SIEM Data
Key Value

timestamp 21/10/2024 04:31:29+07

product Fortigate

dvc FW-FG-BinhDinh-Hatchery

dvc_ip 172.25.0.58

status failed

src_ip 94[.]232[.]47[.]47

dest_ip 113.161.0.30

user accounts1,advisor,draughtsperson,info1,intern,learner,procurement,sales,specialist,temp

msg Administrator accounts1 login failed from https(94.232.47.47) because of invalid user name,Administrator advisor login failed from https(94.232.47.47) because of invalid user
name,Administrator draughtsperson login failed from https(94.232.47.47) because of invalid user name,Administrator info1 login failed from https(94.232.47.47) because of
invalid user name,Administrator intern login failed from https(94.232.47.47) because of invalid user name,Administrator learner login failed from https(94.232.47.47) because
of invalid user name,Administrator procurement login failed from https(94.232.47.47) because of invalid user name,Administrator sales login failed from https(94.232.47.47)
because of invalid user name,Administrator specialist login failed from https(94.232.47.47) because of invalid user name,Administrator temp login failed from
https(94.232.47.47) because of invalid user name

user_count 10

count 10

first_authen_fail 21/10/2024 04:31:29+07

last_authen_fail 21/10/2024 04:41:49+07

Indicator Type: IP 94[.]232[.]47[.]47


Risk score: 10 Rating: Suspicious
description level rule timestamp

1 sighting on 1 source: Recently Viewed Integrations Indicators. Observed in the wild by Recorded Future Telemetry. 1 Observed in the Wild by Recorded Future 2024-10-20
Telemetry 09:25:14

1 sighting on 1 source: DHS Automated Indicator Sharing. 1 report: Malicious IPv4 address, from Forescout Research - 1 Historically Reported by DHS AIS 2024-07-06
Vedere Labs (Jul 6, 2024). 00:02:21

ASN
asn asn_cidr asn_country_code

204490 94.232.47.0/24 RU

Similar Incidents
id name created users hostnames countrycode asn closeNotes closeReason

79876 Evaluate - VPN - Authentication Multiple Fail (Many 2024-10- accounts1, fg-100f- RU 204490 Evaluate Other
Accounts from 1 Source) 20T12:32:30.273134189Z conf, cp-dc
corporate1,
draughtsperson,
inconf,
info1,
information,
intern,
pdp,
samadmin,
temp,
ttcadmin

New post:

Normal Normal

Comment

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy