I want to learn about something "Successfull Local Host Login after Brute Force Attempts" correlation rule.
In this rule there is a group by (Destination IP) So a local host is trying a brute force after the first events (10 mins 10 times) another local host logins successfully. But they are different localhosts.These steps are correct but Group by Destination IP is the default value that our DC server's.
What do you think about this? Is it normal?
This detection searches for the trigger of "Brute Force Login Attempts on a Local Host" (rule 47-4000010) followed by an event in the normalization category of "Host Login" with an Event Subtype of "Success", and a context of either "External to Internal" or "Internal to Internal".
Yes its normal but successful login by any other host during the situation of brute force by any other host is not normal.
Thanks for fast response.
You can see at the image (red effect) Group By: Destination IP
This rule is correct as you said before but at the even logs i see that the destination ip is DomainController's ip so in every windows logon event the server check the domain from DC. I think this correlation rule is not totally correct. we should add AND the destination IP is not DC's IP rule to this rule.
yes you can exclude, on the other hand you can also add source IP into the group by filed so when ever multiple failed login attempts by Unique IP to unique destination IP followed by successful login from the same source and destination IP will trigger the event.
I have a somewhat different issue. I want to detect someone trying to get bruteforce access to Office 365/Azure AD.
Now the customer funnels all traffic through one IP address, so I get something like this triggering an alert:
meaning I get lots of false positives . I need the logic to force the successful login to be from the same Source user as well as the same source IP address. How would I do that? (on v11.1.3)
Hi, Great Quation.
just add to the "Group by" field on the top also "Source User"
how do you do it?
click on the Star icon in the right.
choose "Source User" and move it to the right
dont forget to rollout 🙂