OneLogin user locked out

onelogin

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1110-brute-force

Set up the onelogin integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a OneLogin user is locked out. This may be common if the user is repeatedly failing to log in. This rule is most useful when correlated with other anomalous activity for the user.

Strategy

This rule lets you monitor the following OneLogin events to when a user is locked out:

  • @evt.name:USER_LOCKED

Triage and response

  1. Determine whether the user ({{@usr.name}}) was legitimately trying to authenticate and was locked out.
  2. If the activity was not legitimate, review all activity from the IP ({{@network.client.ip}}) associated with this signal.