Interactive local account enumeration

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-04-13

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules	Identity Analytics
Detector Tags
ATT&CK Tactic	Discovery (TA0007) Credential Access (TA0006)
ATT&CK Technique	Account Discovery (T1087) Brute Force (T1110)
Severity	Low

Description

Multiple non-existing accounts attempted interactive local logins to a host within a short period.
This may indicate that an attacker has physical access to the host and is trying to enumerate accounts.

Attacker's Goals

Discover valid accounts to gain credentials.

Investigative actions

Check if the login attempts were part of a legitimate misunderstanding of the system or part of an attack.