How to create rule to detect: "Successful Brute Force Attack"
(When more than 10 Windows logout events (ID 4625) occur AND followed by a Windows login event (ID 4624) on a same host) in 5 minutes timespan
Thresholds: Number of events : 10
Timespan : 5 minutes
Aggregation: Same host
Sequence: 4625 followed by 4624