2 of 2 people found this helpful
This detection searches for the trigger of "Brute Force Login Attempts on a Local Host" (rule 47-4000010) followed by an event in the normalization category of "Host Login" with an Event Subtype of "Success", and a context of either "External to Internal" or "Internal to Internal".
Yes its normal but successful login by any other host during the situation of brute force by any other host is not normal.
Thanks for fast response.
You can see at the image (red effect) Group By: Destination IP
This rule is correct as you said before but at the even logs i see that the destination ip is DomainController's ip so in every windows logon event the server check the domain from DC. I think this correlation rule is not totally correct. we should add AND the destination IP is not DC's IP rule to this rule.
yes you can exclude, on the other hand you can also add source IP into the group by filed so when ever multiple failed login attempts by Unique IP to unique destination IP followed by successful login from the same source and destination IP will trigger the event.
If i change group by like "Source IP ,Destination IP" when the same source ip attempts brute force to the destination IP AND then the same source IP logons the same destination IP successfully and the destination IP is not the DC Server's: action alert
Is it useful?
yes off course, but it never triggers brute-force alerts for DC servers destined IPs