Skip to Main Content
Liongard Library

Welcome to Liongard Library, where Lions share! This is a community-led space where Liongard users can come to teach and learn from one another.
Share custom Metrics, get inspired and see what’s trending in the Pride.

Pride Etiquette:
➕ Have great custom Metrics? Add them as entries!
🌟 Want to use a Metric? Copy the query and
follow this doc.
👍 Tried a Metric from the Library? Like it!
📣 Have a question or feedback on a Metric? Add a comment!
🔎 Not sure where to start? Learn about Metrics and how to write them.
💬 Need help writing a metric or want to help support others? Join the conversation in our Liongard Lounge #metrics slack channel.


🥴 See something off? Open a support chat to let us know.

Categories Active Directory
Created by Devon
Created on Aug 16, 2021

Active Directory: User Accounts With Brute Force Attempts Count 5+ Count

Current Brute force metric alerts after 4 failed attempts even on disabled accounts from multiple years ago.


This provides a custom option to be closer to the lockout policy with the option of monitoring only enabled accounts. This provides a count to user with a rule that outputs the list "Active Directory: User Accounts With Brute Force Attempts Count 5+ List"

Query

length(Users[?BadLogonCount >= `5` && Enabled!= `false`])

  • Attach files
  • Devon
    Reply
    |
    Aug 16, 2021

    Had a typo. Got that sorted now.