I want to learn about something "Successfull Local Host Login after Brute Force Attempts" correlation rule.
In this rule there is a group by (Destination IP) So a local host is trying a brute force after the first events (10 mins 10 times) another local host logins successfully. But they are different localhosts.These steps are correct but Group by Destination IP is the default value that our DC server's.
What do you think about this? Is it normal?
This detection searches for the trigger of "Brute Force Login Attempts on a Local Host" (rule 47-4000010) followed by an event in the normalization category of "Host Login" with an Event Subtype of "Success", and a context of either "External to Internal" or "Internal to Internal".
Yes its normal but successful login by any other host during the situation of brute force by any other host is not normal.
Thanks for fast response.
You can see at the image (red effect) Group By: Destination IP
This rule is correct as you said before but at the even logs i see that the destination ip is DomainController's ip so in every windows logon event the server check the domain from DC. I think this correlation rule is not totally correct. we should add AND the destination IP is not DC's IP rule to this rule.
yes you can exclude, on the other hand you can also add source IP into the group by filed so when ever multiple failed login attempts by Unique IP to unique destination IP followed by successful login from the same source and destination IP will trigger the event.