Multiple failed login attempts were detected on a Windows endpoint.
This behavior may indicate a brute force authentication attack.
Windows Security Event Logs
Event ID: 4625 (Failed Logon)
SecurityEvent | where EventID == 4625 | summarize FailedAttempts=count() by Account, IPAddress | where FailedAttempts > 10
- Identified repeated failed login attempts
- Determined source IP address
- Checked login pattern frequency
- Reviewed targeted user accounts
• More than 15 failed login attempts detected
• Source IP identified as attacker machine
• Attack pattern consistent with brute force authentication attempt
• Investigated affected account
• Recommended account lockout policy
• Suggested monitoring repeated login failures
Monitoring failed login attempts helps detect brute force attacks early.