LoFP LoFP / it's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.

Techniques

Sample rules

Detect Excessive Account Lockouts From Endpoint

Description

The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the Change datamodel, specifically under the Account_Management node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.dest All_Changes.result 
|`drop_dm_object_name("All_Changes")` 
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| search count > 5 
| `detect_excessive_account_lockouts_from_endpoint_filter`