Does Excessive login failures also detected for switch role failures?

Does Excessive login failures also detected for switch role failures?

6771
Created On 11/22/21 16:11 PM - Last Modified 04/05/24 21:05 PM


Question


  • Does Excessive login failures also detected for switch role failures?
  • Is the recognition to detect regardless of account or role correct?

Environment


  • Prisma Cloud
  • Excessive login failures

Answer


Yes it will, because, SwitchRole is a type of login activity to switch from one role to the other possibly with elevated permissions. Failures from such actions should be treated the same way as the failures from ConsoleLogin events.
because, the anomaly policies that are predefined and marked as Prisma Cloud Default policies alert you to similar issue.

Below is the description of Excessive login failures for reference:

  • Excessive login failures: Detects potential account hijacking attempts by identifying brute force login attempts from the management console or command line. This policy uses write events.
To suppress this type of alerts, you can add the Subject(Entity Name) into a Trusted List under UI >  Settings > Anomalies > Anomaly Trusted List.

Below some of the anomaly policies for reference.

image.png

 

Additional Information


Excessive login failures: This policy also discovers insider threat detection such as

  • Discover suspicious behaviors such as excessive login failures that could signal compromised accounts.
  • Brute force attacks, and other behaviors that traditional security tools misses.
Note: Additional details can be found here  
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MOnCAM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language