Splunk

Cisco ASA - User Account Lockout Threshold Exceeded

Last updated 2 days ago on 2026-07-17

About

This analytic detects user account lockouts on Cisco ASA devices resulting from excessive failed authentication attempts. Account lockouts may indicate brute force attacks, password spraying campaigns, credential stuffing attempts using compromised credentials from external breaches, or misconfigured automation attempting authentication with incorrect credentials. These activities represent attempts to gain unauthorized access to network infrastructure. The detection monitors for ASA message ID 113006, which is generated when a user account is locked out after exceeding the configured maximum number of failed authentication attempts, capturing the locked account name and the failure threshold that was exceeded. Investigate account lockouts for privileged or administrative accounts, multiple simultaneous lockouts affecting different accounts (suggesting password spraying), lockouts originating from unusual source IP addresses, lockouts during off-hours, or patterns suggesting automated attack tools.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/asa-syslog/syslog-messages-101001-to-199021.html#con_4769446(external, opens in a new tab or window)
False Positives
Legitimate lockouts occur from forgotten passwords, typos, script misconfigurations, or connectivity issues. Verify against help desk tickets. Filter known accounts during business hours or establish baseline patterns.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`cisco_asa` message_id IN (113006) | rex "locked out on exceeding '(?<attempts_count>\d+)' successive failed authentication attempts" | rex "User '(?<user>[^']+)' locked out" | eval failure_description="locked out on exceeding " . attempts_count . " successive failed authentication attempts" | fillnull | stats earliest(_time) as firstTime latest(_time) as lastTime values(message_id) as message_id values(failure_description) as failure_description by host user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_asa___user_account_lockout_threshold_exceeded_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).