it is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.

t1078
t1078.003
windows
splunk

Techniques

T1078
T1078.003

Sample rules

Detect Excessive User Account Lockouts

source: splunk
technicques:
- T1078
- T1078.003

Description

This search detects user accounts that have been locked out a relatively high number of times in a short period.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where  All_Changes.result="*lock*" by All_Changes.user All_Changes.result 
|`drop_dm_object_name("All_Changes")` 
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| search count > 5 
| `detect_excessive_user_account_lockouts_filter`