Techniques
Sample rules
Detect Excessive User Account Lockouts
- source: splunk
- technicques:
- T1078
- T1078.003
Description
This search detects user accounts that have been locked out a relatively high number of times in a short period.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.user All_Changes.result
|`drop_dm_object_name("All_Changes")`
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
| `detect_excessive_user_account_lockouts_filter`