Multiple user accounts failed login due to account lockouts

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-01

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Credential Access (TA0006)
ATT&CK Technique	Brute Force (T1110) Brute Force: Password Spraying (T1110.003)
Severity	Low

Description

A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events).
Check if any programs were cached with old credentials, resulting in account lockouts.
Find the computer responsible for the lockouts and verify if it exists on the domain.
Monitor services that may be running with a user's credentials.

Variations

Excessive user account login failure due to lockout from a suspicious source

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Medium

Description

A high amount of user accounts were locked out from a single source host in a short time period. This may be the result of a brute-force or password spray attack.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events).
Check if any programs were cached with old credentials, resulting in account lockouts.
Find the computer responsible for the lockouts and verify if it exists on the domain.
Monitor services that may be running with a user's credentials.