Managed Sentinel – Alert 086
Alert ID | MS-A086 |
Alert Name | Large number of failed Windows logon attempts within 10 mins |
Description | Alert on large volume of Windows failed logon attempts within 10 mins interval for a particular user account. Currently setup to alert when failed logon attempts are 6 or higher during a 10 minute period. |
Severity Level | Low |
Threat Indicator | Unauthorized Access |
MITRE ATT&CK Tactics | Credential Access |
Log sources | Windows |
False Positives | - Scheduled vulnerability scan or pen test against organization's network - Scheduled global password policy changes - Employees' device with pre-configured password for an internal application, post password policy change |
Recommendations | 1. Perform an investigation in Sentinel and discover the attack originator device from the network. 2. Complete a full scan of the identified machine. |