Background
Businesses face escalating security threats, particularly in authentication and access control. Traditional perimeter defenses are often insufficient against evolving cyberattacks, where attackers compromise core assets by stealing privileged accounts or exploiting vulnerabilities such as weak passwords and plaintext passwords. Network Detection and Response (NDR) can detect risky logon behavior (such as the use of privileged accounts, weak passwords, plaintext passwords, and leaked AccessKey pairs), sensitive data operations, and high-risk service activity, and helps you visualize and analyze logon behavior.
Prerequisites
You have provisioned traffic from your assets. For more information, see Provisioning.
Logon behavior risk types
Risk type | Analysis |
Privileged account abuse | A privileged account provides extensive access to systems and data. A compromised privileged account can lead to catastrophic consequences. Monitoring and analyzing the logon behavior of privileged accounts in real time lets you quickly detect anomalous activities. Examples include logons from unknown geographic locations, access attempts outside of business hours, or unusual logon frequencies. This proactive monitoring helps prevent and mitigate potential threats. |
Weak password logon | Using a simple, easy-to-guess password is a primary cause of account compromise. You can significantly reduce the risk of brute-force attacks by enforcing strong, complex passwords. This product detects successful logons that use a weak password in network traffic, such as logons to Web, MySQL, or FTP services. It then alerts your security operations team to take corrective action, enhancing overall system security. |
Plaintext password transmission | Transmitting a plaintext password or a password that is not properly encrypted with a method such as base64, SHA, or AES, exposes your systems to attack. Encrypting all communications and monitoring network traffic for potential password exposure are critical security measures. This helps defend against external attackers and prevents accidental exposure of sensitive information by internal users. |
Logon with a leaked AccessKey pair | In a cloud environment, an AccessKey pair (AK/SK) is a core credential for authentication and authorization. If an AccessKey pair is leaked, an attacker can use it to access cloud resources such as Object Storage Service (OSS), databases, and virtual machines. The attacker can then perform malicious actions, including data theft, resource abuse, or unauthorized deployments. An attacker might also perform lateral movement to access other cloud resources, or even abuse cloud resources for cryptomining or Distributed Denial-of-Service (DDoS) attacks. More seriously, an attacker can use a leaked AccessKey pair to launch a fileless attack through legitimate API calls, without relying on malicious files or processes. This type of attack is highly stealthy and often evades traditional endpoint detection tools. This product monitors for successful logons that use a leaked AccessKey pair to quickly identify and alert on anomalous activity. This enables your team to take prompt action, prevent potential threats, and secure your cloud environment. |
Logon behavior analysis
Log on to the Network Detection and Response console.
In the left-side navigation pane, choose Risks.
On the Overview tab, view logon behavior risks and database behavior risks. You can click View Details to see more information on the corresponding tab.
Logon behavior
Privileged account logon behavior
On the tab:
View logs
In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Source IP and Destination Port.
View privileged account logon risk details
In the Actions column, click Details. In the Details panel, view the Basic Information and Privileged Account Login Details for the target asset.
In the Actions column, click View Payload to view the detailed payload for the record. Click the
icon to export all privileged account logon details included in this detection record.
Weak password logon behavior
On the tab:
View asset details
In the list of weak password logon risks, click an address in the Destination IP Address column to view the corresponding Asset Information.
In the lower section of the Asset Information dialog box, click Threat Analysis, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs
In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Source IP and Destination Port.
View weak password risk details
In the Actions column, click Details. In the Details panel, view the Basic Information and Weak Password Login Details for the target asset.
In the Actions column, click View Payload to view the detailed payload for the record. Click the
icon to export all weak password logon details included in this detection record.
Plaintext password logon behavior
On the tab:
View asset details
In the list of plaintext password logon risks, click an address in the Destination IP Address column to view the corresponding Asset Information.
In the lower section of the Asset Information dialog box, click Threat Analysis, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs
In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Source IP and Destination Port.
View plaintext password logon risk details
In the Actions column, click Details. In the Details panel, view the Basic Information and Plaintext Credential Login Details for the target asset.
In the Actions column, click View Payload to view the detailed payload for the record. Click the
icon to export all plaintext password logon details included in this detection record.
Leaked AccessKey pair logon behavior
On the tab:
View asset details
In the list of leaked AccessKey pair logon risks, click an address in the Destination IP Address column to view the corresponding Asset Information.
In the lower section of the Asset Information dialog box, click Threat Analysis, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs
In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered by logon behavior criteria such as Destination IP Address and Destination Port.
View leaked AccessKey pair logon risk details
In the Actions column, click Details. In the Details panel, view the Basic Information and Leaked AccessKey Pair Login Details for the target asset.
In the Actions column, click View Payload to view the detailed payload for the record. Click the
icon to export all leaked AccessKey pair logon details included in this detection record.
Other operations
Export data
Click the
icon in the upper-right corner of the list to add a download task.In the upper-right corner of the page, click Download Tasks. In the Tasks, you can view the download tasks for all risk types.
In the Actions column for a Completed task, you can click Download or Delete.
View sensitive data
Click Sensitive Information to view the sensitive information related to the logon behavior.
Customize list fields
Click the
icon to customize the fields displayed in the list.
Sensitive data behavior
In the left-side navigation pane, choose Risks.
On the Sensitive Data tab, view detected sensitive data and file transfers on your provisioned assets.
Sensitivity level
Description
S1
Non-sensitive data. Disclosing this type of data is unlikely to cause harm. Examples include provinces, cities, and product names.
S2
Generally sensitive data. This data is not suitable for public disclosure, and the harm from a data breach is low. Examples include names and addresses.
S3
Critically sensitive data. This data is highly sensitive, and even a small leak can cause serious harm. Examples include ID numbers, account passwords, and database credentials.
S4
Core confidential data. This data must not be disclosed under any circumstances. Examples include genetic data, fingerprints, and irises.
View asset details
In the sensitive data or sensitive file behavior list, click an IP in the IP Address column to view the corresponding Asset Information.
In the lower section of the Asset Information dialog box, click Intelligence Profile, Protocol Log, or Packet Query to go to the corresponding page and analyze the specified IP address. For more information, see Threat Analysis, Log Analysis, and Retrospective Analysis.
View logs
In the Actions column, click View Logs to go to the Investigate page. This page shows logs filtered based on the behavior criteria.
View sensitive data and file behavior details
Sensitive data
In the Actions column, click Details. In the Details panel, view the Basic Information and Sensitive Information for the target asset.
Click the number in the Sensitive Information Items column to view the sensitive information included in the record.
In the Actions column, click View Payload to view the detailed payload for the record.
Sensitive file
In the Actions column, click Details. In the Details panel, view the Basic Information and Sensitive File Risk Details for the target asset.
In the Actions column, click File Details to view information about the sensitive file included in the record.
In the Actions column, click View Payload to view the detailed payload for the record.
High-risk service behavior
In the left-side navigation pane, choose Risks.
On the High-Risk Service tab, view the details of detected high-risk service behaviors.
In the Actions column, click View Logs to go to the Investigate tab. This page shows logs filtered by the behavior criteria.
Database behavior analysis
In the left-side navigation pane, choose Risks.
On the Database Activity tab, view information about database risk behaviors on public and private networks.
In the Actions column, click Details to view risk behavior details, AI-powered analysis, and remediation suggestions.
In the Actions column, click View Logs to go to the Investigate tab. This page shows data filtered by specific criteria. For more information, see Protocol Parsing Backtrack.
References
To ensure data security, you can configure NDR policies to deny viewing and exporting of sensitive data.
icon to customize the fields displayed in the list.