Failed Logins

Categories:
Tags:
Tailored Operational Context
  • Target Database:
  • Context Type:
  • Alert Severity:
  • Triggered Time:
  • Firing Context:

Failed Logins Alert

Alert ID: failed_logins Category: Security Default threshold: 5 failed attempts

What This Alert Detects

This alert finds PeopleSoft users with excessive failed login attempts by querying the PSPTLOGINAUDIT table. It only reports users whose most recent login attempt was a failure (PT_SIGNON_STATUS = 1).

PSPTLOGINAUDIT stores only the last login state per user. Once a user successfully logs in, their failure count resets. This means the alert reflects the current state: users who are actively failing to log in right now.

A high number of failed logins may indicate:

  • A brute-force attack against a user account
  • A user who has forgotten their password
  • An integration or batch account with stale credentials
  • An account lockout situation that needs admin attention

Severity Logic

ConditionSeverity
Failed logins >= thresholdCountWarning
Failed logins >= thresholdCount x 2Critical

For example, with the default threshold of 5:

  • A user with 6 failed logins -> Warning
  • A user with 10 or more failed logins -> Critical

What Gets Checked

The alert queries PSPTLOGINAUDIT for rows where:

  • PT_SIGNON_STATUS = '1' (last attempt was a failure)
  • FAILEDLOGINS >= threshold (failed count meets or exceeds the configured threshold)

Results are ordered by FAILEDLOGINS descending (highest failure counts first).

Alert Details

Each alert item includes:

  • Signon ID (PTSIGNONID) — the username entered at the login screen
  • OPRID — the resolved PeopleSoft user ID
  • Number of failed login attempts
  • Authentication type (Token/SSO, Signon PeopleCode, or Standard)
  • Timestamp of the last failed login attempt
  • A link to the User detail page (when the OPRID is resolved)

Configuration

alerts:
  checks:
    failed_logins:
      enabled: true
      thresholdCount: 5    # Failed attempts before flagging as Warning
SettingDefaultDescription
thresholdCount5Number of failed logins to trigger a Warning alert. Critical fires at 2x this value.

How to Respond

  1. Click the alert link to go to the User detail page for the affected account
  2. Check the authentication type. Token/SSO failures may indicate a misconfigured integration
  3. Review the timestamp. Recent failures are more concerning than old ones
  4. Check if the user’s account is locked (ACCTLOCK in PSOPRDEFN)
  5. If the failures look like a brute-force attempt, consider locking the account and investigating the source
  6. For legitimate users, help them reset their password and unlock their account

PeopleSoft Table Reference

This alert queries the PSPTLOGINAUDIT Tools table. For more details on this table, see Exploring the PSPTLOGINAUDIT Tools Table.

Prerequisites

The PSPTLOGINAUDIT table must be whitelisted in the PeopleSoft SWS framework on each target environment. If the table is not whitelisted, this alert will log an error on each check cycle but will not affect other alerts.