Managed Sentinel – Alert 079
| Alert ID | MS-A079 |
| Alert Name | Potential brute force attack against an IIS Web Server |
| Description | Identifies when 100 or more failed attempts by a given user in 10 minutes occur on the IIS Server. This could be indicative of attempted brute force based on known account information. This could also simply indicate a misconfigured service or device. References: IIS status code mapping - https://support.microsoft.com/en-us/help/943891/the-http-status-code-in-iis-7-0-iis-7-5-and-iis-8-0 Win32 Status code mapping - https://msdn.microsoft.com/en-us/library/cc231199.aspx. |
| Severity Level | Medium |
| Threat Indicator | Credential Access |
| MITRE ATT&CK Tactics | Credential Access |
| Log sources | Web Traffic |
| False Positive | robots |
| Recommendations | 1. Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy may create a denial of service condition and render environments un-usable, with all accounts used in the brute force being locked-out. 2. Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services. 3. If an public facing web site is experience this type of attack, try to block inbound traffic based on source IP address(es) initiating the attack. |