Managed Sentinel – Alert 124

Alert IDMS-A124
Alert NameMultiple Login failures for multiple accounts within a predefined time interval on Windows servers
DescriptionThis alert is triggered for x login failures in y minutes from different different accounts on a Windows server.Customer to provide a list of servers subject to this alert
Severity LevelMedium
Threat IndicatorUnauthorized Access
MITRE ATT&CK TacticsInitial Access
Privilege Escalation
Credential Access
Log sourcesWindows Security Event Logs
False PositivesOrganization wide password policy GPO push (planned change)
RecommendationsInvestigate in Sentinel the originator of these requests to see if any lateral movements were successfully completed from this source. Apply a global password policy change.