Account Lockout

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Sigma rule (View on GitHub)

 1title: Account Lockout
 2id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
 3status: test
 4description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts
 7author: AlertIQ
 8date: 2021/10/10
 9modified: 2022/12/25
10tags:
11    - attack.credential_access
12    - attack.t1110
13logsource:
14    product: azure
15    service: signinlogs
16detection:
17    selection:
18        ResultType: 50053
19    condition: selection
20falsepositives:
21    - Unknown
22level: medium

References

Related rules

to-top