LoFP
/
t1110.001
t1110.001
Title
Tags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
t1110
t1110.001
t1201
aws account
azure tenant
splunk
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
t1110
t1110.001
T1110.003
T1535
t1586
aws account
azure tenant
splunk
account fallback reasons (after failed login with specific account)
t1110
t1110.001
windows
sigma
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
t1110
t1110.001
t1586
t1586.003
aws account
splunk
although unusual, users who have lost their passwords may trigger this detection. filter as needed.
t1110
t1110.001
o365 tenant
splunk
software that uses the caret encased keywords pass and user in its command line
t1110
t1110.001
windows
sigma
users may genuinely mistype or forget the password.
t1110
t1110.001
t1586
t1586.003
aws account
splunk