Managed Sentinel – Alert 020

Alert IDMS-A020
Alert NameNetwork switch login failure
DescriptionThis alerts identifies network switches login failures within a predefined limit
Severity LevelInformational
Threat IndicatorRoot Access
MITRE ATT&CK TacticsCredential Access
Log sourcesNetwork switches (Syslog)
False PositivesApproved penetration tests
Recommendations1. Change admin/root/administrator account password
2. Login into the via console and review change history
3. Block IP address which requested the console access via perimeter firewall
4. Consider restricting access to switch management interfaces only from selected internal IP addresses, such as jumpboxes (best practices)