security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Multiple Logon Failure from the same Source Address (#2588)

Browse Source 
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
This commit is contained in:
Samirbous
2023-04-24 13:16:17 +01:00
committed by GitHub
parent 2996c79ff4
commit 2eda02c10e
1 changed files with 7 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
+7 -3
View File
@@ -31,7 +31,6 @@ services.path FROM services JOIN authenticode ON services.path = authenticode.pa
authenticode.path JOIN hash ON services.path = hash.path WHERE authenticode.result != 'trusted'
"""
[rule]
author = ["Elastic"]
description = """
@@ -100,9 +99,14 @@ This rule identifies potential password guessing/brute force activity from a sin
## Setup
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
- In some cases the source network address in Windows events 4625/4624 is not populated due to Microsoft logging limitations (examples in the references links). This edge case will break the rule condition and it won't trigger an alert.
"""
references = ["https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625"]
references = [
"https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625",
"https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624",
"https://social.technet.microsoft.com/Forums/ie/en-US/c82ac4f3-a235-472c-9fd3-53aa646cfcfd/network-information-missing-in-event-id-4624?forum=winserversecurity",
"https://serverfault.com/questions/379092/remote-desktop-failed-logon-event-4625-not-logging-ip-address-on-2008-terminal-s/403638#403638",
]
risk_score = 47
rule_id = "48b6edfc-079d-4907-b43c-baffa243270d"
severity = "medium"