Managed Sentinel – Alert 020
| Alert ID | MS-A020 |
| Alert Name | Network switch login failure |
| Description | This alerts identifies network switches login failures within a predefined limit |
| Severity Level | Informational |
| Threat Indicator | Root Access |
| MITRE ATT&CK Tactics | Credential Access |
| Log sources | Network switches (Syslog) |
| False Positives | Approved penetration tests |
| Recommendations | 1. Change admin/root/administrator account password 2. Login into the via console and review change history 3. Block IP address which requested the console access via perimeter firewall 4. Consider restricting access to switch management interfaces only from selected internal IP addresses, such as jumpboxes (best practices) |