Managed Sentinel – Alert 062

Alert IDMS-A062
Alert NameLarge number of failed Windows logon attempts within 10 mins
Description This could be an indicator of a brute force attack. Alert on large volume of Windows failed logon attempts within 10 mins interval for a particular user account. Currently setup to alert when failed logon attempts are 6 or higher during a 10 minute period.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsCredential Access
Log sourcesWindows
False Positives- Scheduled vulnerability scan or pen test against organization's network
- Scheduled global password policy changes
- Employees' device with pre-configured password for an internal application, post password policy change
Recommendations1. Perform an investigation in Sentinel and discover the attack originator device from the network.
2. Complete a full scan of the identified machine.