1 Reply Latest reply on Nov 14, 2017 6:24 PM by akerr

    Rule to Detect Password Spraying Attempts


      Does anyone have a good rule in place to detect password spraying in a domain environment? If this can be accomplished via a OOTB ACE rule, what modifications were made to reduce false positives?

        • 1. Re: Rule to Detect Password Spraying Attempts

          There's a default rule "Login - Brute Force Login Attempts form a Single Source" that could be used by just modifying the parameters to include and extended period of time.  It defaults to 10 minutes and 5 events, but you could up that to say 4 hours or so.  I'd start there, see what kind of results you get and see if in your environment, there's anything you can do to reduce false positives.