Response Processors: Login Processor: Incident - Site Login Invalid

Complexity: Suspicious (1.0)

Default Response: 16x (3 or more bad passwords per username) = Site Login Brute Force, 16x (less than 3 bad passwords per username) = Site Login Username Scan, 9x (bad passwords for same username) = Site Login User Brute Force.

Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when a user attempts to login with an invalid username and password. This incident alone is not considered malicious, but is used to perform additional analysis and can be promoted to a malicious incident if an abusive pattern is identified (such as many invalid logins representing a brute force attack).

Behavior: This incident simply reflects the case where a user has entered bad login information. By itself, this cannot be considered malicious as it is extremely common for a legitimate user to accidentally type their information incorrectly, or to forget their password. As such, it is only an indication of possible abuse and requires additional analysis and data before it can be confirmed as malicious or acceptable.