Methods, systems and computer program products are provided for detection of slow brute force attacks based on user-level time series analysis. A slow brute force attack may be detected based on one or more anomalous failed login events associated with a user, alone or in combination with one or more post-login anomalous activities associated with the user, security alerts associated with the user, investigation priority determined for the user and/or successful logon events associated with the user. An alert may indicate a user is the target of a successful or unsuccessful slow brute force attack. Time-series data (e.g., accounted for in configurable time intervals) may be analyzed on a user-by-user basis to identify localized anomalies and global anomalies, which may be scored and evaluated (e.g., alone or combined with other information) to determine an investigation priority and whether and what alert to issue for a user.