Managed Sentinel – Alert 086

Alert IDMS-A086
Alert NameLarge number of failed Windows logon attempts within 10 mins
Description Alert on large volume of Windows failed logon attempts within 10 mins interval for a particular user account. Currently setup to alert when failed logon attempts are 6 or higher during a 10 minute period.
Severity LevelLow
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsCredential Access
Log sourcesWindows
False Positives- Scheduled vulnerability scan or pen test against organization's network
- Scheduled global password policy changes
- Employees' device with pre-configured password for an internal application, post password policy change
Recommendations1. Perform an investigation in Sentinel and discover the attack originator device from the network.
2. Complete a full scan of the identified machine.