title: Brute Force
id: 53c7cca0-2901-493a-95db-d00d6fcf0a37
status: test
description: Detects many authentication failures from one source to one destination which is may indicate Brute Force activity
author: Aleksandr Akhremchik, oscd.community
date: 2019/10/25
modified: 2021/11/27
logsource:
  category: authentication
detection:
  selection:
    action: failure
  timeframe: 600s
  condition: selection | count(category) by dst_ip > 30
fields:
  - src_ip
  - dst_ip
  - user
falsepositives:
  - Inventarization
  - Vulnerability scanner
  - Legitimate application
level: medium
tags:
  - attack.credential_access
  - attack.t1110