CasesC-1301

Suspicious API Access - C-1301

Detected on May 12, 2025 at 02:14 AM · Updated 18m ago
Status
Open
Due in 2h 15m
Severity
High
Score: 8.6
Assignee
PN
Priya Nair
IT Lead
Owner
AB
Alex B.
SecOps Team
Priority
P1
High Priority

Case Overview

A series of anomalous API requests detected from an unmanaged cloud host.

Case ID
C-1301
Case Type
Suspicious API Access
Tactic / Technique
Credential Access / T1110
Detection Source
Wazuh SIEM
First Detected
May 12, 2025 at 02:14 AM
Last Activity
May 12, 2025 at 02:42 AM
Environment
Prod
Tags
AuthenticationVPNAccount Takeover

Affected Systems

View all (2)
VPN-GW-01Online
10.0.1.15 · Palo Alto GlobalProtect
High
svc-vpn-access
Privileged Account
High

Linked Alerts

View all (4)
Brute force login attempt detected
Wazuh · May 12, 2025 02:14 AM
High
Multiple failed logins - threshold exceeded
Wazuh · May 12, 2025 02:16 AM
Medium
Suspicious source IP geo-anomalous
Wazuh · May 12, 2025 02:18 AM
Medium

SLA & Timing

68%
Remaining
SLA24h 0m
DueDue in 2h 15m
Elapsed9h 42m
SLA Target: 24hTime remaining: 14h 18m

Stakeholders

Edit
AB
Alex B.
Case Owner
PN
Priya Nair
Assignee
MR
Miguel R.
SOC Manager
IT
Ian T.
Infrastructure Team

Related Reports

View all
Weekly Security Summary
May 5 – May 11, 2025
PDF
Authentication Threat Report
April 2025
PDF

Export Case Summary

Download a summary of this case including details, evidence, and timeline.

Investigation Notes

Initial triage shows multiple failed VPN logins using the svc-vpn-access account from an external IP with no known business justification.

  • Verified account is a service account used by automation.
  • Source IP 203.0.113.45 not in allowlist.
  • No successful login observed.
  • Account locked as a precaution.
  • Monitoring for additional activity.
PN
Priya Nair · May 12, 2025 03:02 AM (edited)
View full notes

Evidence Attachments (4)

View all
vpn_failed_logins_2025-05-12.log
72 KB · May 12, 02:16 AM
wazuh_alert_5501.json
18 KB · May 12, 02:18 AM
firewall_traffic_203.0.113.45.pcap
1.4 MB · May 12, 02:22 AM
account_lock_event.png
93 KB · May 12, 02:25 AM

Comments / Collaboration

PN
AB
Alex B.Owner· May 12, 2025 03:15 AM

Locked the svc-vpn-access account and added 203.0.113.45 to the firewall blocklist. Monitoring for any downstream activity.

Reply