The Monitor > Brute Force Protection page in OneView lists active block rules from failed login attempts through Windows™ protocols on your managed endpoints. An active block rule is a temporary restriction, as configured in the OneViewpolicy, that prevents users and threat actors from logging into a device for a specified amount of time. Active block rules are automatically removed based on the expiration time set in the OneView policy. If the trigger rule is set to monitor and detect, then invalid login attempts are not listed on this page.
Note: To review historical found and blocked Brute Force Protection detections, navigate to Monitor > Detections and filter the columns as desired. Below is an example:
Type: Inbound Connection
Action Taken: Found
Detection Name: RDP Intrusion Detection
This article explains how to restore access to an endpoint, sort, and export data for active block rules.
Filter Brute Force Protection
The Brute Force Protection table helps you manage the available information more efficiently. The following features are available to refine your search result:
-
Reset filters: In the upper-right corner of the page, click Reset filters to go back to the default filter settings.
-
Add / Remove Columns: In the top-right of the table, click Add / Remove Columns to customize the table columns.
-
Column pinning and auto-sizing: Next to a column header, click the filter button to display a checkbox list of different sub-filters you can apply. Click the filter tab to pin or auto size for the selected column.
-
Right-click menu: In the table, click and drag to select and highlight a table section. Right-click on your selected information to copy or export a .csv or an .xlsx file.
-
Select all: Click the checkbox next to the Endpoint column header.
Admins can filter columns for the following values:
-
Attack duration: Number of minutes the attack lasted.
-
Attempts: Number of invalid login attempts on the endpoint.
-
Created at: Timestamp when the trigger rule was met.
-
Destination IP address: IP address of the endpoint.
-
Endpoint: Name of the endpoint.
-
Expiration time: Timestamp when the active block rule automatically expires and remote access is allowed on the device from the IP address again.
-
Log in as: The username being attempted.
-
OS type: Workstation or server.
-
Port: Port number used in the attack.
-
Protocol: Remote protocol targeted in the attack.
-
Site: Site the endpoint is assigned to.
-
Source country: The origin country of the attack.
-
Source IP address: The origin IP address of the attack.
-
User: Last logged in user on the device.