But they might be using software that automatically raises an alert when it sees repeated login attempts for a valid username.
Isn't that one of the purposes of Splunk?