Techniques
Sample rules
Cisco ASA - User Account Lockout Threshold Exceeded
- source: splunk
- technicques:
- T1110.001
- T1110.003
Description
This analytic detects user account lockouts on Cisco ASA devices resulting from excessive failed authentication attempts. Account lockouts may indicate brute force attacks, password spraying campaigns, credential stuffing attempts using compromised credentials from external breaches, or misconfigured automation attempting authentication with incorrect credentials. These activities represent attempts to gain unauthorized access to network infrastructure. The detection monitors for ASA message ID 113006, which is generated when a user account is locked out after exceeding the configured maximum number of failed authentication attempts, capturing the locked account name and the failure threshold that was exceeded. Investigate account lockouts for privileged or administrative accounts, multiple simultaneous lockouts affecting different accounts (suggesting password spraying), lockouts originating from unusual source IP addresses, lockouts during off-hours, or patterns suggesting automated attack tools.
Detection logic
`cisco_asa`
message_id IN (113006)
| rex "locked out on exceeding '(?<attempts_count>\d+)' successive failed authentication attempts"
| rex "User '(?<user>[^']+)' locked out"
| eval failure_description="locked out on exceeding " . attempts_count . " successive failed authentication attempts"
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(message_id) as message_id
values(failure_description) as failure_description
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_account_lockout_threshold_exceeded_filter`