Excessive AKD failed logins on macOS in IDR

I’ve been noticing a number of “low” investigations being opened for excessive authN failures on my macOS PCs. Digging into it more, it looks like it’s a service called AKD (apple keychain daemon?). I’ve only seen one other mention of similar behavior elsewhere but no real explanation.

Has anyone else here come across this sort of issue? If you have, any ideas what the root cause is?

Hey Scott,
We have this too. I did some digging previously and couldnt find much, other than it might be linked to some background update processes within MacOS.
It happened on a fresh out of the box Mac the first time, so we knew it wasnt anything malicious, just annoying. Also a bit annoying that the options for “ignoring”/exceptions is a bit limited currently.

The first thing you should do is turn the rule off since AKD is an Apple daemon. Every time a new update is released and the user differs, the rule gets triggered, or if any application update like Slack/Teams/Zoom fails, it gets triggered.

I would suggest defining a custom detection rule like this.

event_type = “asset_auth”
log.id = “***”
“service” = “/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow”

it will trigger when there are failed login to the laptop and you can add other services like SSH