Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An abnormally high amount of user account login attempts were seen from a host within a short period of time.
This may have resulted from a login password spray attack.
Attacker's Goals
An attacker may be attempting to gain unauthorized access to user accounts.
Investigative actions
- Check the amount of time in between each authentication attempt.
- Investigate the reason behind the login failures and if any accounts were locked out.
- Look for any successful authentication attempts and the ratio of login success versus login failures.
Variations
Suspicious intensive and short internal Login Password SprayInternal Login Password Spray with many wrong password attempts
Internal Login Password Spray attempt on local user