19
The one alert I keep seeing misconfigured in every SOC I visit
I was helping a small bank in Ohio with their SIEM setup last month and every single admin had the same mistake. They had all their failed login alerts set to fire on any single failure. That means they got thousands of alerts a day from people just typing their password wrong. The real trick is to set a threshold, like 5 failures in 10 minutes from the same IP. That catches brute force attempts without burying the team. Why do so many people skip the threshold settings? Has anyone else found a common misconfiguration like this across different orgs?
2 comments
Log in to join the discussion
Log In2 Comments
garcia.charles10d ago
Holy crap, a whole bank was doing that? That's insane, they must have been drowning in noise.
3
thompson.tyler10d ago
Not quite drowning in noise, more like they were losing money on all those tiny transactions. The fees just couldn't cover the processing costs.
4