Detect Excessive User Account Lockouts
Description
The following analytic identifies user accounts experiencing an excessive number of lockouts within a short timeframe. It leverages the 'Change' data model, specifically focusing on events where the result indicates a lockout. This activity is significant as it may indicate a brute-force attack or misconfiguration, both of which require immediate attention. If confirmed malicious, this behavior could lead to account compromise, unauthorized access, and potential lateral movement within the network.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2024-05-20
- Author: David Dorsey, Splunk
- ID: 95a7f9a5-6096-437e-a19e-86f42ac609bd
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
- Delivery
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where All_Changes.result="*lock*" by All_Changes.user All_Changes.result
|`drop_dm_object_name("All_Changes")`
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
| `detect_excessive_user_account_lockouts_filter`
Macros
The SPL above uses the following Macros:
detect_excessive_user_account_lockouts_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- All_Changes.result
- nodename
- All_Changes.user
How To Implement
ou must ingest your Windows security event logs in the Change
datamodel under the nodename is Account_Management
, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.
Known False Positives
It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
36.0 | 60 | 60 | Excessive user account lockouts for $user$ in a short period of time |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 6