[New Rule] Brute Force Detection - Windows (#2275) · e95cbc4165 - sigma-rules

[New Rule] Brute Force Detection - Windows (#2275)

* [New Rule] Brute Force Detection - Windows

https://github.com/elastic/detection-rules/issues/2164 (T1110 - Brute Force)

- multiple logon failure from same source address in 10s maxspan
- 5 logon failure followed by success from same source address in 5s maxspan

* non ecs

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* fix error

* added bruteforce admin account and linted tomls

* Update credential_access_bruteforce_admin_account.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* related_rules

* 4625_errorcode_notes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fc8ec668b1)

This commit is contained in:

Samirbous

2022-09-19 18:43:28 +02:00

committed by

github-actions[bot]

parent 323c86d986

commit e95cbc4165

1 changed files with 2 additions and 1 deletions

									
										detection_rules/etc/non-ecs-schema.json
									
		+2
		-1
	
												View File
												
				@@ -41,7 +41,8 @@

					"PrivilegeList": "keyword", 

					"AuthenticationPackageName" : "keyword", 

					"TargetUserSid" : "keyword", 

					"DnsHostName" : "keyword"

					"DnsHostName" : "keyword",

					"winlog.event_data.Status": "keyword"

				      }

				    },

				    "winlog.logon.type": "keyword",