Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Sigma rule (View on GitHub)
1title: Account Lockout
2id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
3status: test
4description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021-10-10
9modified: 2022-12-25
10tags:
11 - attack.credential-access
12 - attack.t1110
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 ResultType: 50053
19 condition: selection
20falsepositives:
21 - Unknown
22level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Bitbucket User Login Failure
- Cisco BGP Authentication Failures
- Cisco LDP Authentication Failures
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP