Liongard Ideas Portal

Submit and upvote ideas to make Liongard better. You get 20 votes so vote wisely. 🙂

To learn more about our Ideas Portal, check out our FAQs.
To schedule a feedback session with a member of the Liongard Research Team, click here.

See what we've shipped by clicking here!

Brute force / Bad Logins - Custom Reporting and Control

It would be very helpful to have more control of the inspector that reviews brute force / bad login attempts.

Right now as it stands after an account fails 3 times or more, the only way to clear it is to log in correctly. That doesn't always work with our internal best practices, in this specific case the user had 3 failed attempts against their account, but for many reasons didn't log in for a few days, then later on left the job permanently. The account was disabled but we still get the Liongard Tickets for this account.

Suggestions:

The ability to turn off alerting against disabled accounts in AD

The ability to only report failed login attempts (>3, or some other number) in the last 24 hours (or some other time frame)

both of these would help us greatly filter out a lot of the noise we are getting.

Thanks!

  • Guest
  • Aug 11 2020
  • Future Consideration
Last Reviewed Date 2021-03-19
  • Attach files
  • James Zawacki commented
    4 Mar 03:48pm

    Agreed this needs to be looked into. Alerting on disabled accounts is kind of ridiculous.

  • Seth Heitzmann commented
    12 Aug, 2020 01:01am

    I just turned on the Brute Force actionable alert for AD and ran into the same issue. A disabled account's last bad login was 2 years. I copied the existing metrics and actionable alerts. You can customize the metrics by adding the "enabled" option as shown here:

    Users[?AnomalousActivity.contains(@,`Brute Force`) && Enabled ==`true`] | length(@)