LoFP / security audits may trigger this alert. conditions that generate bursts of failed logins, such as misconfigured applications or account lockouts could trigger this alert.

Techniques

• T1110

Sample rules

Unusual Login Activity

• source: elastic
• technicques:
  • T1110

Description

Identifies an unusually high number of authentication attempts.

Detection logic