General
This alarm is triggered when someone attempts to log in to an account that is disabled.
Rationale
Such a login attempt may indicate that a password has been leaked or serve as an indication that a (former) employee is attempting to gain access to computer systems. In both cases, it is advisable to change the password.
Follow-up
Perform these steps to adequately follow up on this detection:
- Change the password of the account in question
- Verify with the user in question whether the login attempt was intentional
- If Yes:
- Explain that access has been denied for a reason
- If No:
- Advise further investigation
- If Yes:
Comments
0 comments
Please sign in to leave a comment.