Large number of failed Windows logon attempts within 10 mins
This could be an indicator of a brute force attack. Alert on large volume of Windows failed logon attempts within 10 mins interval for a particular user account. Currently setup to alert when failed logon attempts are 6 or higher during a 10 minute period.
MITRE ATT&CK Tactics
- Scheduled vulnerability scan or pen test against organization's network
- Scheduled global password policy changes
- Employees' device with pre-configured password for an internal application, post password policy change
1. Perform an investigation in Sentinel and discover the attack originator device from the network.
2. Complete a full scan of the identified machine.