Detect Excessive User Account Lockouts

Description

This search detects user accounts that have been locked out a relatively high number of times in a short period.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Account Compromise

Alert Volume

This search detects user accounts that have been locked out a relatively high number of times in a short period.

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Local Accounts

MITRE Threat Groups

APT32
FIN10
PROMETHIUM
Stolen Pencil
Tropic Trooper

Data Sources

Authentication

   Help

Detect Excessive User Account Lockouts Help

ou must ingest your Windows security event logs in the Change datamodel under the nodename is Account_Management, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.

   Search

Open in Search