Does anyone have a good rule in place to detect password spraying in a domain environment? If this can be accomplished via a OOTB ACE rule, what modifications were made to reduce false positives?
There's a default rule "Login - Brute Force Login Attempts form a Single Source" that could be used by just modifying the parameters to include and extended period of time. It defaults to 10 minutes and 5 events, but you could up that to say 4 hours or so. I'd start there, see what kind of results you get and see if in your environment, there's anything you can do to reduce false positives.