Liongard Ideas Portal

Submit and upvote ideas to make Liongard better. You get 20 votes so vote wisely. 🙂

To learn more about our Ideas Portal, check out our FAQs.
To schedule a feedback session with a member of the Liongard Research Team, click here.

See what we've shipped by clicking here!

Brute force / Bad Logins - Custom Reporting and Control

It would be very helpful to have more control of the inspector that reviews brute force / bad login attempts.

Right now as it stands after an account fails 3 times or more, the only way to clear it is to log in correctly. That doesn't always work with our internal best practices, in this specific case the user had 3 failed attempts against their account, but for many reasons didn't log in for a few days, then later on left the job permanently. The account was disabled but we still get the Liongard Tickets for this account.


The ability to turn off alerting against disabled accounts in AD

The ability to only report failed login attempts (>3, or some other number) in the last 24 hours (or some other time frame)

both of these would help us greatly filter out a lot of the noise we are getting.


  • Guest
  • Aug 11 2020
  • Future Consideration
Last Reviewed Date 2021-03-19
  • Attach files
  • James Zawacki commented
    4 Mar 03:48pm

    Agreed this needs to be looked into. Alerting on disabled accounts is kind of ridiculous.

  • Seth Heitzmann commented
    12 Aug, 2020 01:01am

    I just turned on the Brute Force actionable alert for AD and ran into the same issue. A disabled account's last bad login was 2 years. I copied the existing metrics and actionable alerts. You can customize the metrics by adding the "enabled" option as shown here:

    Users[?AnomalousActivity.contains(@,`Brute Force`) && Enabled ==`true`] | length(@)