A security analyst reviewing logs notices that four user accounts were locked out within a five-minute window. Which of the following BEST explains why the analyst should investigate further before declaring a security incident?
Modern operating systems no longer lock accounts unless a brute-force attack is detected by the kernel, so a lockout always signals an attack.
Lockout policies are enforced solely on domain controllers, making every lockout an indicator of privileged-account compromise.
Account lockouts can occur for benign reasons-for example, users repeatedly mistyping passwords-so additional evidence is required to confirm malicious activity.
Account lockouts only happen after a successful logon, so any lockout automatically proves that credentials were stolen.
Account lockouts are an important indicator because they often appear during password-spray or brute-force attacks. However, they can also be triggered by legitimate users mistyping or caching old credentials on multiple devices. Therefore, analysts should correlate lockout events with additional evidence-such as source IP addresses, Event ID details, or other anomalies-before concluding that malicious activity is occurring. This avoids false positives and unnecessary escalation.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are common causes of account lockouts besides security incidents?
Open an interactive chat with Bash
What are some indicators of an actual security incident besides account lockouts?
Open an interactive chat with Bash
How can organizations effectively investigate account lockouts to determine if a security incident has taken place?