This search detects user accounts that have been locked out a relatively high number of times in a short period.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Change
- Last Updated: 2020-07-21
- Author: David Dorsey, Splunk
- ID: 95a7f9a5-6096-437e-a19e-86f42ac609bd
|T1078.003||Local Accounts||Defense Evasion, Persistence, Privilege Escalation, Initial Access|
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`
Associated Analytic Story
How To Implement
ou must ingest your Windows security event logs in the
Change datamodel under the nodename is
Account_Management, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.
Kill Chain Phase
Known False Positives
It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.
|36.0||60||60||Multiple accounts have been locked out. Review $nodename$ and $result$ related to $user$.|
source | version: 3