Try in Splunk Security Cloud

Description

This search detects user accounts that have been locked out a relatively high number of times in a short period.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • Last Updated: 2020-07-21
  • Author: David Dorsey, Splunk
  • ID: 95a7f9a5-6096-437e-a19e-86f42ac609bd

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1078.003 Local Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result 
|`drop_dm_object_name("All_Changes")` 
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| search count > 5 
| `detect_excessive_user_account_lockouts_filter`

Associated Analytic Story

How To Implement

ou must ingest your Windows security event logs in the Change datamodel under the nodename is Account_Management, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.

Required field

  • _time
  • All_Changes.result
  • nodename
  • All_Changes.user

Kill Chain Phase

Known False Positives

It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.

RBA

Risk Score Impact Confidence Message
36.0 60 60 Multiple accounts have been locked out. Review $nodename$ and $result$ related to $user$.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 3