splApache-2.0from splunk/security_content
Detect Excessive User Account Lockouts
The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.
Quality
67
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_excessive_user_account_lockouts.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE All_Changes.result="*lock*"
BY All_Changes.user All_Changes.result
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
| `detect_excessive_user_account_lockouts_filter`