Detectionmediumtest
Account Lockout
Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azuresigninlogs
ProductAzure← raw: azure
Servicesigninlogs← raw: signinlogs
Detection Logic
Detection Logic1 selector
detection:
selection:
ResultType: 50053
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
Status
test
Level
medium
Type
Detection
Created
Sun Oct 10
Modified
Sun Dec 25
Author
Path
rules/cloud/azure/signin_logs/azure_account_lockout.yml
Raw Tags
attack.credential-accessattack.t1110