Understanding the user account list in SMB Brute Force detections

When you review an SMB Brute Force detection you will see details in the Cognito UI regarding the list of usernames that were involved with the detection and the counts of occurrences of success, failure, and more-info-required return codes.

The list presented on the detection identifies all usernames observed over all authentication types over the course of the detection, with the exception of null/anonymous usernames, which are omitted from the printed list.

The list does not distinguish between authentication type and authentication success/failure.

As presented, The username list offers a hint for the security analyst when investigating this detection and should be used in conjunction with the packet capture when determining next steps.

Was this article helpful?
1 out of 1 found this helpful

Download PDF


Article is closed for comments.