Brute Force Detection Rule

Greetings!
I'm using WinlogBeats with configured Sysmon.
I want to write my own rule: If any user in last 5 minutes failed to login 5 times, Detection should trigger.

So I tried this:

This is threshold rule, but I don't really understand the options here: Group by with Threshold and Count with Unique.

In general, event.code: 4625 is Windows Event of bad password provided by the user on login.

Can someone help me explain how can I write this type of rule?

Greetings, @filip.wozniak! You're definitely on the right track. Your custom query can just be event.code:"4625" ... you can remove the @timestamp portion of the query and configure that below in Step 3 (Schedule Rule).

For this particular use case, you want to group by the username and look for >= 5 occurrences in the time range. So your Group by looks correct and you'd want to set a Threshold value of 5.

You do not need anything in the Count or Unique values inputs. Those are used for cases when you're looking for high-cardinality fields, not for cases like this where you're just counting events that occur over a time period. For instance, if you only wanted to look for users that failed to login 5 times, but from more than 1 IP address, you could use Count: source.ip with >= 1 Unique Values.

Finally, set your rule interval to 5 minutes. The additional look-back time configuration parameter is there to add a buffer to your time window to ensure that events are never missed (but if you tweak it too high, you can get false positives). For example, to ensure that you never miss a hit due to the timing of the rule run, you'd need to set Additional look-back time to 5 minutes as well, although you may end up with some threshold hits that occurred over a greater time window than 5 minutes.

To summarize, for this particular use case, the below configuration should work for you:

Custom query: event.code:"4625"
Group by: winlog.event_data.AccountName
Threshold: 5
Count: <empty>
Unique values: <empty>
Runs every: 5 minutes
Additional look-back time: 0-5 minutes (5 to err on the side of false positives, 0 to err on the side of false negatives)

Hope this helps, and thanks so much for posting!
-Madi

2 Likes

Thank you @madi
Your post explained everything very well! I'm studying built in detection rules and now I'm trying to write mine. Unfortunetly, I've found very little tutorials or 'how-tos' so I had to visit this discuss board. Thank you so much! If you had any materials or tutorials available online, I would be glad if you can share it!

Edit:
At first it didn't worked. I've used wrong type of Group by event. Don't use winlog.event_data.AccountName. Use winlog.event_data.TargetUserName instead.

1 Like

3 Failed logins for the same user, to the same host, from the same source IP, followed by a
success, in a 15 second time period

sequence by host.name,source.ip with maxspan=15s
[ authentication where event.outcome == "failure" ] by user.name
[ authentication where event.outcome == "failure" ] by user.name
[ authentication where event.outcome == "failure" ] by user.name
[ authentication where event.outcome == "success" ] by user.name
1 Like