Managed Sentinel – Alert 062
| Alert ID | MS-A062 |
| Alert Name | Large number of failed Windows logon attempts within 10 mins |
| Description | This could be an indicator of a brute force attack. Alert on large volume of Windows failed logon attempts within 10 mins interval for a particular user account. Currently setup to alert when failed logon attempts are 6 or higher during a 10 minute period. |
| Severity Level | Low |
| Threat Indicator | Unauthorized Access |
| MITRE ATT&CK Tactics | Credential Access |
| Log sources | Windows |
| False Positives | - Scheduled vulnerability scan or pen test against organization's network - Scheduled global password policy changes - Employees' device with pre-configured password for an internal application, post password policy change |
| Recommendations | 1. Perform an investigation in Sentinel and discover the attack originator device from the network. 2. Complete a full scan of the identified machine. |