Palo Brute Force Detected

Question

I'm getting notices from security team that one of my pollers is making excessive connection attempts to my SW Db. This is apparently in response to my reboot, post Windows Update. This particular poller is seprated from the core and the Db by a Palo firewall with appropriate rule sin place to allow the necessary poller to core and poller to Db connections. My question is what exactly is this poller doing that would trigger these alarms?

threatid: Microsoft SQL Server User Authentication Brute Force Attempt(40010)

jameslindsay · Answer

While there are pages of this along with pages of nothing but success, I did find this. That line at the bottom is really suspect

Having said that, the Palo was still triggering the alert after hours and hours of nothing bu successful logins.

mesverrum · Answer

I believe in the past I have seen issues where the config wizard it set to use auto detect for the SQL auth type, so it tries local sql auth first, fails, then does windows based auth with the same cred and succeeds.  I could see maybe that causing the issue?  You can confirm if you look at the sql server error event logs inside SSMS.

jameslindsay · Answer

Thanks for the informative response. In this case, this is the poller trying to communicate with the Orion Db Server. There are no Db's monitored from this poller that I can find. I have no issue connecting to the Database from the poller using DB Manager and there is no indication that the poller is in distress.