Data Exfiltration Detection

Data Exfiltration Detection

Login Bruteforce incidents are patterns of high-volume, repetitive authentication failures targeting an organization's identity infrastructure. Unlike network-level attacks, these incidents directly target the Active Directory of your organization, aiming to use it as a precursor to ransomware deployment or data breaches.

By detecting this malicious activity, Lumu provides visibility into three critical areas:

  • Identity attacks: Detects attempts to compromise user credentials before unauthorized access occurs.
  • Lateral movement: Signal potential internal compromises where a threat actor attempts to spread across the network.
  • Technical debt: Identifying misconfigured services or scripts using expired credentials that generate noise and mimic attack patterns.

This document outlines how the Lumu Portal delivers valuable insight into the detection of this attack by providing the necessary context— Scope, Severity, and Source —you are presented with a contextualized narrative of the attack that supports the decision-making of your organization's response team.

Collected Data

Lumu captures specific metadata fields to facilitate forensic analysis and scope determination. The data collected for this incident includes:

  • Failed login attempts: Number of failed login events that were detected within a short period of time.
  • Bruteforce attempts: This corresponds to the number of Bruteforce attempts that were registered. A single Bruteforce attempt groups together multiple Failed login Events occurring in rapid succession within the same period of time.
  • Attempt duration: Time that the Bruteforce attempt lasted.
  • Active Directory Domain: The specific AD domain where the authentication requests were directed.
  • Attacker Source: A list of the specific names or IP addresses of the endpoints generating the traffic.
  • Targeted users: A list of the specific usernames targeted.

Incident details

The Lumu Portal delivers the collected data to facilitate rapid triage and decision-making. The data is displayed as follows:


1. Summary: This section highlights critical information, including the First and Last Login Events and the Incident Duration. This data establishes a general scope of the incident that allows analysts to quickly differentiate between a momentary spike and a sustained campaign against their organization’s Active Directory.

2. Attempts Details: This section aggregates the most relevant data regarding the brute force activity. It quantifies the attack's overall severity and scope, allowing analysts to immediately assess the magnitude of the threat.

  • Brute Force Attempts: Displays the number of distinct attack waves helping to Identify if the attack was a continuous stream or a series of pulsed attempts, which aids in recognizing automated scripts.
  • Target User Accounts: Shows the total count of unique identities affected which determines the breadth of the campaign, distinguishing between a focused attack on a single high-value target and a spray attack aiming to find any weak link across the organization.
  • Attacker Sources: Indicates the number of originating endpoints. This information reveals the attack structure, clarifying if the threat is centralized (single infected host) or distributed (botnet), which dictates the necessary containment strategy (single isolation vs. perimeter blocking).
  • Failed Login Events: Counts the total volume of authentication failures. It reflects the intensity of the attack, helping to assess the potential load impact on the authentication servers.

3. Attempts List: Detailed list that breaks down each individual Bruteforce attempt, displaying specific information per attempt. This granular view enables pattern analysis that allows to identify mechanical regularities (indicating misconfigured services) or erratic spikes (indicating active human adversaries).

Attempt details

You can review the details of each attempt by clicking on them. This detailed view provides further information about the attempt.


  • Summary of the information of the attempt that provides context on the scope of the attack.
  • Attacker Source: This field identifies the specific endpoints initiating the connection requests.
  • Target Users: This section lists the specific user accounts that are under attack. This allows analysts to immediately identify if high-value accounts (such as Administrators) or specific departments are being targeted.

Incident data export

While the Lumu Portal displays the most critical data points—such as the top attacking sources and target users—complex attacks often involve volumes of traffic that exceed what can be efficiently displayed on a single screen. For that reason, the Lumu allows in-depth investigations with its Export Feature. It allows analysts to move beyond the high-level summary and access the complete forensic dataset of the incident.

You can export data using the dropdown menu located at the top of the page (1) or using the buttons at the top of the Attempt Details section (2).


Exportable data

You can export the following data for this incident:

  • Targeted Users
    Generates a focused list of every account compromised or targeted during the incident. It provides an immediate hit list for forcing password resets or implementing stricter MFA policies, without needing to sift through raw traffic logs.
  • Attacker Sources
    Extracts the unique IP addresses or hostnames initiating the attacks giving security teams or Firewall administrators a clean list of malicious sources to immediately block or blacklist at the perimeter.
  • All Attempts
    Downloads the complete, raw dataset of the entire incident lifecycle. It can serve as the master record for comprehensive auditing, long-term trend analysis, or ingestion for correlation with other security events.

Attempt data

You can also export the data for a specific attempt. Simply open the details of the selected attempt and click on Download failed logins.


Allows forensic analysts to isolate and examine the specific traffic of a single attack attempt (e.g., a 3-minute window) to understand the precise timing and behavior of the adversary during that specific interval.

      Get an AI Summary

          • Related Articles

          • Data Exfiltration Response Playbook

            The Lumu Data Exfiltration Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life ...
          • Incident Details - Detections

            The Detections Panel is the core investigative hub within the Lumu Portal. When suspicious activity on your network escalates into a confirmed incident, this panel serves as your team's starting point for rapid triage and response. It is designed to ...
          • Incident Details - ATT&CK Matrix

            To effectively contain and eradicate a cybersecurity incident, responders must move beyond simply knowing what happened and understand how and why it happened. This is where the MITRE ATT&CK framework becomes an invaluable asset for forensic ...
          • Lumu Incident Detections

            In today's evolving threat landscape, perimeter defenses alone are insufficient to protect an organization's critical assets. As adversaries develop more sophisticated methods to bypass traditional security controls, the ability to rapidly detect, ...
          • Incident Details - Highlights

            the Highlights Panel is exclusively dedicated to incidents involving contact with malicious infrastructure. When your network communicates with adversarial assets—such as phishing sites, Command and Control (C&C) servers, malware distribution nodes, ...