From 362b3291a931fbcbcef59a0b87f7e88496646da7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 14 Dec 2023 17:41:06 +0000 Subject: [PATCH] [Tuning] Multiple Logon Failure Followed by Logon Success (#3340) * Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml * Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml (cherry picked from commit 727c23e3d24e03c44277c757dfca8ed3570397e9) --- ...force_multiple_logon_failure_followed_by_success.toml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index efa9d7683..555655711 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/12/14" [transform] [[transform.osquery]] @@ -40,7 +40,7 @@ brute force login attempts across multiple users with a common or known password accounts. """ from = "now-9m" -index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"] +index = ["winlogbeat-*", "logs-system.security*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Multiple Logon Failure Followed by Logon Success" @@ -117,8 +117,9 @@ query = ''' sequence by winlog.computer_name, source.ip with maxspan=5s [authentication where event.action == "logon-failed" and /* event 4625 need to be logged */ - winlog.logon.type : "Network" and - source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and + winlog.logon.type : "Network" and user.id != null and + source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and + not winlog.event_data.TargetUserSid : "S-1-0-0" and not user.id : "S-1-0-0" and not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and /* noisy failure status codes often associated to authentication misconfiguration */