Showing results for 
Search instead for 
Did you mean: 
Level 7

Rule to Detect Password Spraying Attempts

Does anyone have a good rule in place to detect password spraying in a domain environment? If this can be accomplished via a OOTB ACE rule, what modifications were made to reduce false positives?

0 Kudos
1 Reply
Level 9

Re: Rule to Detect Password Spraying Attempts

There's a default rule "Login - Brute Force Login Attempts form a Single Source" that could be used by just modifying the parameters to include and extended period of time.  It defaults to 10 minutes and 5 events, but you could up that to say 4 hours or so.  I'd start there, see what kind of results you get and see if in your environment, there's anything you can do to reduce false positives.

0 Kudos