Techniques
Sample rules
Detect Excessive Account Lockouts From Endpoint
- source: splunk
- technicques:
- T1078
- T1078.002
Description
The following analytic detects endpoints causing a high number of account lockouts within a short period. It leverages the Windows security event logs ingested into the Change
datamodel, specifically under the Account_Management
node, to identify and count lockout events. This activity is significant as it may indicate a brute-force attack or misconfigured system causing repeated authentication failures. If confirmed malicious, this behavior could lead to account lockouts, disrupting user access and potentially indicating an ongoing attack attempting to compromise user credentials.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.dest All_Changes.result
|`drop_dm_object_name("All_Changes")`
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
| `detect_excessive_account_lockouts_from_endpoint_filter`