Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Sigma rule (View on GitHub)
1title: Account Lockout
2id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
3status: test
4description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
5references:
6 - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
7author: AlertIQ
8date: 2021/10/10
9modified: 2022/12/25
10tags:
11 - attack.credential_access
12 - attack.t1110
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 ResultType: 50053
19 condition: selection
20falsepositives:
21 - Unknown
22level: medium
References
-
Learn about baselines, and how to monitor and alert on potential security issues with privileged accounts in Microsoft Entra ID.
Read More
Related rules
- Multifactor Authentication Denied
- User Access Blocked by Azure Conditional Access
- MSSQL Server Failed Logon
- Password Spray Activity
- HackTool - CrackMapExec Execution