Prisma Cloud: Why doesn't the "Excessive login failures" policy detect an alert?

Prisma Cloud: Why doesn't the "Excessive login failures" policy detect an alert?

1967
Created On 06/21/24 05:42 AM - Last Modified 03/11/25 22:12 PM


Question


Although the user tried many login failures, the "Excessive login failures" policy didn't detect any alerts.
Why doesn't the "Excessive login failures" policy detect an alert?

Environment


  • Prisma Cloud Enterprise Edition
  • Anomaly policy

Answer


  • To trigger this alert, the user needs to perform failed login operations exceeding the threshold value followed by a successful login event within 15 minutes.
  • In case there was no successful login event, the policy won't detect any alerts even if there were many failed login events in the 15 min interval.

Additional Information


  • This policy captures IAM users console login events only.
  • The login events from the command line operations with security tokens do not capture login events. Also the SSO login events are not normally generating audit events.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000010z8QCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language