Analytics Case Types
These case types are specific examples that will focus on threatening activity and behaviors. These cases help you visualize, detect, interrupt and announce threatening activity across your infrastructure.
Brute Force Case
Purpose
A Brute Force case detects both rapid and stealthy brute force login attempts where attackers attempt multiple password combinations against a single user account.
Case Creation Logic
A Brute Force case is created when:
-
Two or more brute force alerts are detected for the same user.
-
This threshold is intended to reduce noise from isolated failures while still capturing slow or distributed brute force activity.
-
Risk Amplifiers (Severity Escalation)
-
The severity of the case is automatically increased when one or more of the following conditions apply:
-
The targeted user holds administrative or privileged access.
-
At least one of the brute force attempts resulted in a successful authentication.
What the Case Represents
This case represents a credential-based attack attempt, potentially escalating to account compromise if successful. It is particularly high-risk when directed at privileged identities.
MFA Bombing Case
Purpose
Identifies repeated MFA push notifications intended to overwhelm or fatigue users into approving an authentication request.
Case Creation Logic
An MFA Bombing case is created when any alert indicating an MFA fatigue or bypass attempt is detected, including:
-
mfa_bombing_burst -
mfa_bombing_stealth
Unlike other case types, a single alert is sufficient to generate a case. This reflects the high intent and immediacy of MFA fatigue attacks.
Alert Grouping Behavior
All MFA bombing–related alerts for the same user are grouped into a single case to provide a complete view of the attack pattern.
What the Case Represents
This case indicates an active attempt to bypass MFA protections, often preceding account takeover. Even short-lived campaigns are treated as high-signal events.
Suspicious Behavior Case
Purpose
Identifies high-risk users by correlating multiple suspicious activities that, together, indicate a potential attack chain rather than an isolated anomaly.
Case Creation Logic
A Suspicious Behavior case is created when:
1. An initial access–type alert is detected, such as: brute force attempts, MFA bombing, irregular or anomalous login activity (e.g., unusual time or location).
2. This alert is followed by one or more additional alerts indicating suspicious behavior.
Correlation Window
All relevant alerts are grouped within the same calendar week for the same user.
Alert Scope
The case aggregates alerts classified as suspicious behavior according to the alert taxonomy defined in the documentation.
Alerts explicitly categorized as initial access are used as the starting signal, but are not themselves sufficient to form the case without follow-on activity.
What the Case Represents
This case reflects a multi-step attack pattern, where an adversary progresses from access attempts to post-authentication or reconnaissance-style activity. It is intended to surface accounts exhibiting behavioral risk over time, not just single-event anomalies.
