From e95cbc4165614efe8d900ad71e5ab433ce2de63e Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 19 Sep 2022 18:43:28 +0200
Subject: [PATCH] [New Rule] Brute Force Detection - Windows (#2275)

* [New Rule] Brute Force Detection - Windows

https://github.com/elastic/detection-rules/issues/2164 (T1110 - Brute Force)

- multiple logon failure from same source address in 10s maxspan
- 5 logon failure followed by success from same source address in 5s maxspan

* non ecs

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* fix error

* added bruteforce admin account and linted tomls

* Update credential_access_bruteforce_admin_account.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* related_rules

* 4625_errorcode_notes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fc8ec668b10dc93e0fc6d9df72f5da6c50c9a344)
---
 detection_rules/etc/non-ecs-schema.json | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index 60fafb229..db6b7f23d 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -41,7 +41,8 @@
 	"PrivilegeList": "keyword", 
 	"AuthenticationPackageName" : "keyword", 
 	"TargetUserSid" : "keyword", 
-	"DnsHostName" : "keyword"
+	"DnsHostName" : "keyword",
+	"winlog.event_data.Status": "keyword"
       }
     },
     "winlog.logon.type": "keyword",