Spike in failed logon events ML rule alerting

Maretti · March 14, 2023, 9:31am

Hi everyone

I am experimenting with the ML learning rule that alerts when a spike happens in failed logon events. I did a RDP bruteforce from kali to windows in the bruteforce the password did get guessed so the host is actually compromised. The alert just gives a low severity alert so it would be better if another alert gets send if a successful logon happened during the spike.

What would be an easy way to do this?

system · April 11, 2023, 9:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Microsoft 365 Detection Rule/Machine Learning Rule Elastic Security elastic-stack-machine-learning	3	963	November 4, 2022
Watch for Login failure in windows events with watcher Elasticsearch elastic-stack-alerting	2	472	August 29, 2019
Watcher alerts for failed logons Elasticsearch	8	5175	August 22, 2017
There seems to be a bug in 7.10.2's builtin ml job windows_rare_user_type10_remote_login Elastic Security elastic-stack-machine-learning	2	394	March 18, 2021
Detect_Failed_Logon Kibana windows	1	330	April 28, 2022

Spike in failed logon events ML rule alerting

Related topics