Home
  •  

MSSQL 2014: Login failed: Account locked out

Microsoft.SQLServer.2014.Login_failed__Account_locked_out_5_Rule (Rule)

A user attempted to log into the network with an account that has been locked out. The Windows security log will identify the user name under MSSQLSERVER event ID 18486.

Knowledge Base article:

Summary

A user attempted to log into the network with an account that has been locked out. The Windows security log will identify the user name under MSSQLSERVER event ID 18486.

Causes

User validation failed because the account was locked out. An account may be locked out by an administrator or programmatically when policies are violated. For example, if a user attempts to log into the network several consecutive times Windows may automatically lock the account so that this user cannot log on. This is designed to prevent brute force attacks.

Resolutions

Contact the user who is responsible for the account that is locked out. If they are legitimately attempting to access the network, contact a security administrator to unlock the account.

If the user has not attempted to log in during the time period specified in the Windows security log, assess this situation as a possible security attack.

Overrideable Parameters

Name

Description

Default Value

Enabled

Enables or disables the workflow.

Yes

Priority

Defines Alert Priority.

1

Severity

Defines Alert Severity.

1

Element properties:

TargetMicrosoft.SQLServer.2014.DBEngine
CategoryEventCollection
EnabledTrue
Event_ID18486
Event Source$Target/Property[Type="SQL2014Core!Microsoft.SQLServer.2014.DBEngine"]/ServiceName$
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
RemotableTrue
Alert Message
MSSQL 2014: Login failed: Account locked out
{0}
Event LogApplication
CommentMom2014ID='{51F708FC-3FCF-4C1A-9847-E00B99AADB4A}';MOM2014GroupID={467ECC75-C5DA-42BD-955C-A73BBB51AF74}

Member Modules:

ID Module Type TypeId RunAs 
_F6DA1507_12AF_11D3_AB21_00A0C98620CE_ DataSource Microsoft.Windows.EventProvider Default
GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.SQLServer.2014.Login_failed__Account_locked_out_5_Rule" Target="SQL2014Core!Microsoft.SQLServer.2014.DBEngine" Enabled="true" ConfirmDelivery="true" Remotable="true" Comment="Mom2014ID='{51F708FC-3FCF-4C1A-9847-E00B99AADB4A}';MOM2014GroupID={467ECC75-C5DA-42BD-955C-A73BBB51AF74}">

  <Category>EventCollection</Category>

  <DataSources>

    <DataSource ID="_F6DA1507_12AF_11D3_AB21_00A0C98620CE_" Comment="{F6DA1507-12AF-11D3-AB21-00A0C98620CE}" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Application</LogName>

      <Expression>

        <And>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>PublisherName</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>$Target/Property[Type="SQL2014Core!Microsoft.SQLServer.2014.DBEngine"]/ServiceName$</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

          <Expression>

            <SimpleExpression>

              <ValueExpression>

                <XPathQuery>EventDisplayNumber</XPathQuery>

              </ValueExpression>

              <Operator>Equal</Operator>

              <ValueExpression>

                <Value>18486</Value>

              </ValueExpression>

            </SimpleExpression>

          </Expression>

        </And>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="GenerateAlert" TypeID="SystemHealth!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>1</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.SQLServer.2014.Login_failed__Account_locked_out_5_Rule.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

      <Suppression>

        <SuppressionValue/>

      </Suppression>

    </WriteAction>

  </WriteActions>

</Rule>