The Monitor > Brute Force Protection page in Nebula lists active block rules from failed login attempts through Windows™ protocols on your managed endpoints. An active block rule is a temporary restriction, as configured in the Nebula policy, that prevents users and threat actors from logging into a device for a specified amount of time. Active block rules are automatically removed based on the expiration time set in the Nebula policy. If the trigger rule is set to monitor and detect, then invalid login attempts are not listed on this page.
Note: To review historical found and blocked Brute Force Protection detections, navigate to Monitor > Detections and filter the columns as desired. Below is an example:
Type: Inbound Connection
Action Taken: Found
Detection Name: RDP Intrusion Detection
This article explains how to restore access to an endpoint, sort, and export data for active block rules.
Restore access to an endpoint
To restore access to an endpoint user, delete the block rule from your Nebula console. You must have the Nebula console Super Admin or Administrator role to delete block rules:
- Check the box for one or more endpoints.
- Click Delete.
- A confirmation dialog displays. Click Yes to remove the block rule on that endpoint.
Sort data in the results list
You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.
Click on a column filter icon to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.
You can filter columns for the following values:
- Attack duration: Number of minutes the attack lasted.
- Attempts: Number of invalid login attempts on the endpoint.
- Created at: Timestamp when the trigger rule was met.
- Destination IP address: IP address of the endpoint.
- Endpoint: Name of the endpoint.
- Expiration time: Timestamp when the active block rule automatically expires and remote access is allowed on the device from the IP address again.
- Log in as: The username being attempted.
- OS type: Workstation or server.
- Port: Port number used in the attack.
- Protocol: Remote protocol targeted in the attack.
- Source country: The origin country of the attack.
- Source IP address: The origin IP address of the attack.
- User: Last logged in user on the device.
Export data
To download data to your local machine:
- Select all or check specific boxes for the rows you want to export.
- Click Export.
</p">