Single account excessively locked out

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2026-01-04
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Informational

Description

A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events).
  • Check if there were any successful authentications (event ID 4624).
  • Determine if any programs have stored outdated credentials, causing account lockouts.
  • Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices.
  • Confirm whether the user's credentials have been compromised or leaked.
  • Review if the account is enrolled in multifactor authentication (MFA).
  • Find the computer responsible for the lockouts and verify if it exists on the domain.
  • Monitor services that may be running with a user's credentials.

Variations

Single suspicious account excessively locked out

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Severity

Low

Description

A user has been locked out an unusually high number of times within a short timeframe. This could indicate an attempt to gain unauthorized access to the user's account.

Attacker's Goals

An attacker may be attempting to gain unauthorized access to user accounts.

Investigative actions

  • Investigate the associated authentication attempts and login failures (e.g. 4740, 4625, 4776 events).
  • Check if there were any successful authentications (event ID 4624).
  • Determine if any programs have stored outdated credentials, causing account lockouts.
  • Check recent user activity for unusual behavior, such as logins from unfamiliar locations or devices.
  • Confirm whether the user's credentials have been compromised or leaked.
  • Review if the account is enrolled in multifactor authentication (MFA).
  • Find the computer responsible for the lockouts and verify if it exists on the domain.
  • Monitor services that may be running with a user's credentials.