Link Search Menu Expand Document

Sophos_Attempted_Login_Default_Credentials

ID: 100214

Description:

A user attempted to login using a default username and password

Repository: Group: Sophos Type: event

Default Status:

Enabled

Tags:
Sophos
 

Selector:

Query:

Filters:

Field MUST hit
@tags sophos
@sophos.classification Attempt to login by a default username and password
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sophos.src_ip ip security alert

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert
Timeline 0 -

Attributes:

Alias Key
Message @sophos.message
SrcIP @sophos.src_ip
DestIP @sophos.dst_ip
SrcPort @sophos.src_port
DestPort @sophos.dst_port
Country @sophos.src_country
Victim @sophos.victim
Severity @sophos.severity

Correlation Rules:

First Occurrence:

Name Window Fields
NewCountry 10 days @sophos.src_country
  Risks: ML_NEW_GEO_COUNTRY

History:

User Date
em*n@fluencysecurity.com 2021 Mar 23 02:08:36 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)