Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
Multiple non-existing accounts failed to remotely log in to a host in a short period of time.
This may indicate an attacker is trying to remotely enumerate accounts.
Attacker's Goals
Discover valid accounts to gain credentials.
Investigative actions
Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.
Variations
Suspicious Remote domain account enumerationRemote account enumeration on domain accounts