<  Back to rules search

OneLogin user locked out

onelogin

Classification:

attack

Tactic:

Technique:

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.

Strategy

This rule lets you monitor the following OneLogin events to when a user is locked out:

  • @evt.name:USER_LOCKED

Triage and response

  1. Determine whether the user ({{@usr.name}}) was legitimately trying to authenticate and was locked out.
  2. If the activity was not legitimate, review all activity from the IP ({{@network.client.ip}}) associated with this signal.