We would like to create a use case for password spraying attack and Impossible travel activity in our environment.
Password Spraying Attack - Attacker tying to bruteforce using default passwords for multiple accounts.
Reference - Password Spraying Attack | OWASP Foundation
Impossible travel Activity - user successful login from multiple different location in short span
Reference - Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs
we would like to create EQL rule for the above cases.
Problem - the command that helps in alerting when different values in same Filed.
For example :
sequence by user_name
[ any where type == "Success"]with runs=2
[ any where ip == "*"](Here we need to capture different IP's exclude same IP's).
We are stuck at how to capture different values for the same field.
We are not using Machine learning currently.