This alert will trigger once there is an unauthenticated POST request is detected. Malicious actors will try and upload potentially malicious files or code to a web site in order to implement a malware or a click bait software in order to try and compromised additional employees or company customers. Additionally connecting to unencrypted internal HTTP applications is not a best practice and could expose the application to different attacks such as a man in the middle attack. Impact The company web application or hosting server could be compromised. Mitigation Validate that there are no successful upload attempts to the website/server. validate with the relevant user that he is the one that tried to perform the POST request. In case there is a suspicion that the user was compromised, temporarily suspend the relevant user until further investigation is concluded. If a user was compromised enforce password change as well as MFA to the relevant user. If needed, block the source IP address from accessing any of your company resources. MITRE Tactic: TA0003 MITRE Technique: T1525

This alert will trigger once there is a failed authentication attempt from a user that was not seen in the last 30 days. Malicious actors will try different username password combinations in order to gain access to company resources, this kind of activity might indicate a password spray attack or a misspell by the user. When a user was not seen in the last 30 days it can indicate an inactive user or a user that was not deactivated once he left the company. If needed, you can fine tune the time range to meet your company needs. Impact Malicious actor gaining access to company resources and business continuity being compromised. Mitigation Validate if the username associated is a misspell or an unknown user. Check for additional failed authentications from the same source IP. If needed, block the source IP address from accessing any of your company resources. If needed, further investigate according to company policy. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert will trigger when 3 different users have failed to login from the same IP address. Malicious actors will try to gain access to employee VPN credentials in order to try and authenticate to sensitive company resources. This kind of activity might indicate a password spraying attempt. If your organizational users connect to Ivanti through NAT (coming out from the same IP) this alert might be noisy and it's recommended to fine-tune it (by whitelisting your external IP addresses) in order to reduce the noise. Impact Malicious actor gaining access to company sensitive resources and compromising business integrity. Mitigation Validate with the users that they were the ones behind the failed authentication attempts. If needed, temporarily suspend the relevant user/s until further investigation is conducted. If needed, enforce a password change for the affected users. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert will trigger once the same IP address will try to access more then 10 different URLs in a 2 hours period of time. This kind of activity can be associated with automated bot activity that is trying to scan and map your websites or a malicious actor that is trying to gain access to sensitive data that can be accessed through the website or a user that tried to access a page without permissions to do so. Impact A malicious actor can gain access to sensitive company data. Mitigation Validate with the relevant user that he was the one to try and access the relevant page. In case there is a suspicion that the user was compromised, temporarily suspend the relevant user until further investigation is concluded. If needed, block the source IP address from accessing any of your company's resources. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert will trigger once the same user will have 20 or more failed login attempts in a specific period of time from more then 1 IP address. Malicious actors will try to gain access to employees VPN credentials in order to try and authenticate to sensitive company resources. Impact Malicious actor gaining access to company sensitive resources and compromising business integrity. Mitigation Validate with the user that he was the one behind the failed authentications. If needed, temporarily suspend the user until further investigation is conducted. If needed, enforce password change for the affected user. MITRE Tactic: TA0006 MITRE Technique: T1110

This alert will trigger once the same user will have 20 or more failed login attempts in a specific period of time. Malicious actors will try to gain access to employees VPN credentials in order to try and authenticate to sensitive company resources. Repeated failed authentication attempts from the following users: administrator, admin, vpn, root can indicate a password spraying attack in an attempt to gain privileged access. Impact Malicious actor gaining access to sensitive company resources and compromising business integrity. Mitigation Validate with the user that he was the one behind the failed authentications. If needed, temporarily suspend the user until further investigation is conducted. If needed, enforce password change for the affected user. MITRE Tactic: TA0006 MITRE Technique: T1110

This rule detects if there are no logs in the last 36 hours for Ivanti Pulse Secure Access in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562