Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
Multiple non-existing accounts failed to interactive local log in to a host in a short period of time.
This may indicate an attacker has physical access to the host, and is trying to enumerate accounts.
Attacker's Goals
Discover valid accounts to gain credentials.
Investigative actions
Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.