Objective:
To analyse authentication logs using SIEM techniques to identify suspicious login activity that may indicate brute-force or unauthorised access attempts.
Scenario
The organisation observed multiple failed login attempts across different user accounts within a short time window.
As a cybersecurity analyst, I was tasked with investigating these logs to determine whether the activity was malicious or legitimate user behavior.
Sample Authentication Logs
Dec 12 02:14:05 server sshd[1024]: Failed password for invalid user admin from 192.168.1.45 port 53421 Dec 12 02:14:07 server sshd[1024]: Failed password for invalid user admin from 192.168.1.45 port 53422 Dec 12 02:14:10 server sshd[1024]: Failed password for invalid user admin from 192.168.1.45 port 53423 Dec 12 02:14:15 server sshd[1024]: Accepted password for user john from 10.0.0.8 port 42133 Dec 12 02:14:20 server sshd[1024]: Failed password for user mary from 192.168.1.45 port 53425
Log Field Breakdown
Each authentication log entry contains the following components:
- Timestamp – indicates when the login attempt occurred
- Host – the server processing the authentication request
- Service (sshd) – Secure Shell authentication service
- Username – the account being targeted
- Source IP address – the origin of the login attempt
- Result – whether the login attempt succeeded or failed
Log Analysis
I analyzed the authentication logs by reviewing login outcomes, source IP addresses, and time patterns.
The following observations were made:
- The IP address 192.168.1.45 generated multiple failed login attempts within seconds.
- The same IP attempted access to multiple user accounts, including invalid and valid usernames.
- Failed attempts occurred repeatedly before any successful authentication.
- One successful login originated from a different internal IP address (10.0.0.8), indicating normal user behavior.
The rapid frequency and repetition from a single external IP strongly indicate automated attack behavior rather than user error.
Threat Identification Based on the observed patterns, the activity aligns with a brute-force or credential-stuffing attack, where an attacker systematically attempts multiple username and password combinations to gain unauthorized access.
Potential Security Impact
If successful, this attack could result in unauthorized access to user accounts, data exposure, and potential lateral movement within the environment.
Early detection is critical to prevent account compromise and escalation.
Investigation Steps
Reviewed the structure of authentication logs to identify relevant fields.Filtered failed login events by user account and source IP.Analyzed login frequency and time-based patterns. Correlated repeated failures from single IP addresses across multiple accounts.
Findings
Repeated failed login attempts were identified from a single IP address within a short period.Multiple user accounts were targeted, suggesting a brute-force or credential-stuffing attempt.Activity occurred outside normal business hours, increasing the likelihood of malicious intent.
Security Impact
If undetected, this activity could result in unauthorized access to user accounts, potential data exposure, and further compromise of internal systems.
Recommended Response Actions
Block or rate-limit the source IP address (192.168.1.45) Enforce account lockout policies after multiple failed attempts. Enable multi-factor authentication (MFA) Configure SIEM alerts for repeated authentication failures Monitor for further attempts targeting additional accounts
What This Project Demonstrates
Practical log analysis and threat detection skills. Understanding of SOC workflows and SIEM investigation processes. Ability to document findings and recommend actionable security controls.