Excessive User Account Lockouts: Automated Detection and Response with Cortex XSIAM
Introduction
User account lockouts are a common security measure to prevent unauthorized access. However, excessive lockouts can indicate credential-based attacks such as brute force or password spraying. Rapid identification and response to these lockouts are critical to maintaining the security of enterprise environments.
The "Excessive User Account Lockouts" playbook in the Cortex XSIAM® Response and Remediation Pack automates the investigation and containment of these security incidents. This playbook enhances security operations by analyzing lockout patterns, assessing risk scores, and facilitating automated response actions.
Threat Overview
Excessive account lockouts can arise due to:
- Brute-force attacks attempting multiple login attempts.
- Password spraying, where attackers try commonly used passwords across multiple accounts.
- Misconfigurations or user mistakes leading to repeated login failures.
This playbook is triggered when an excessive number of user account lockouts occur. It systematically investigates the root cause, determines the risk level of involved hosts, and initiates remediation where necessary.
Purpose of the Playbook
The "Excessive User Account Lockouts" playbook follows a structured approach:
1. Triage
- Collects and enriches details about the lockout events.
- Retrieves the caller computer information to identify the source of the lockouts.
2. Investigation
- Analyzes event timestamps to identify suspicious patterns of lockouts.
- Searches for related medium-severity brute-force alerts within the incident.
- Evaluates the risk score of the caller computer to determine if it is a potential threat.
3. Containment
If the lockouts are determined to be malicious, the playbook can:
- Isolate the compromised endpoint (caller computer or target host) with analyst approval.
- If an endpoint is a server or unavailable, alert the analyst for manual remediation steps.
- Automatically close the alert once actions are completed.
Conclusion
The "Excessive User Account Lockouts" playbook significantly improves security teams' ability to detect and respond to credential-based attacks. By automating investigation and containment, organizations can reduce the impact of brute-force attacks while maintaining operational integrity.
For more details about this playbook and other automation use cases, please visit the Cortex XSIAM Response and Remediation Pack.
To learn more about how you can transform your SOC through automation, schedule a personal demo for Cortex XSIAM.