
Summary
This detection rule identifies excessive account lockouts occurring from Windows endpoints within a short time frame, leveraging the Change datamodel in Splunk. The analytics focus on the result of account lockouts reported in the Account_Management node of the Windows security event logs. The detection searches for lockout events generated against user accounts, summarizing counts and multiple events triggered from the same endpoint. A high occurrence of lockouts could indicate potential brute-force attacks or misconfigurations that repeatedly fail authentication attempts. Confirmed instances can lead to significant disruptions in user access and may signify attempts to compromise user account credentials.
Categories
- Endpoint
- Windows
Data Sources
- Windows Registry
- Application Log
ATT&CK Techniques
- T1078
- T1078.002
Created: 2024-11-13