Logging + alerting on failed/unusual logins
Demonstrate that all authentication systems log failed and unusual login events, forward those logs to a monitored security platform, and generate alerts that trigger timely investigation and response by authorized personnel.
Description
What this control does
This control requires the organization to configure authentication systems to generate timestamped log entries for both failed login attempts and anomalous successful logins (e.g., unusual geographic location, time of day, or device). Logs must be forwarded to a centralized system capable of generating real-time or near-real-time alerts to security operations personnel based on defined thresholds and behavioral patterns. This capability enables early detection of credential compromise, brute-force attacks, and unauthorized access attempts before attackers establish persistence.
Control objective
What auditing this proves
Demonstrate that all authentication systems log failed and unusual login events, forward those logs to a monitored security platform, and generate alerts that trigger timely investigation and response by authorized personnel.
Associated risks
Risks this control addresses
- Undetected brute-force password attacks against user accounts or service principals
- Credential stuffing campaigns leveraging previously breached username-password pairs
- Successful account takeover resulting from phishing, malware, or social engineering going unnoticed
- Insider threat activity using compromised or shared credentials outside normal behavior patterns
- Lateral movement by attackers using stolen credentials across multiple systems without triggering investigation
- Delayed incident response due to lack of visibility into authentication anomalies
- Compliance violations from failure to detect and document unauthorized access attempts
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's inventory of authentication systems including identity providers, VPNs, remote access gateways, privileged access management tools, and critical applications.
- Select a representative sample of at least three authentication systems spanning different infrastructure tiers (e.g., corporate SSO, cloud IAM, administrative jump host).
- Review logging configuration for each sampled system to confirm failed login attempts are captured with timestamp, username, source IP address, and failure reason.
- Review logging configuration to confirm unusual login detection criteria are defined, such as geographic anomalies, impossible travel, off-hours access, new device enrollment, or multiple concurrent sessions.
- Trace log flow from each sampled authentication system to the centralized SIEM, log aggregator, or monitoring platform, verifying automated forwarding is active and functional.
- Review alerting rules and thresholds configured in the monitoring platform for failed login events (e.g., five failures within ten minutes) and unusual login patterns.
- Interview SOC or security operations personnel to confirm alert receipt process, escalation procedures, and typical response timeframes for authentication-related alerts.
- Perform or review records of a recent test simulation where failed or unusual logins were generated intentionally, and verify corresponding logs and alerts were produced and investigated.
Where this control is tested