Threshold Rule for Detecting Brute force Attacks

Hi, with the release of 7.9 I tried creating a threshold rule for detecting and alerting Windows Brute Force Attacks. The query is Event.code 4625 and the threshold field is greater than equal to 5.
But the rule isn't detecting anything.

Thanks for reaching out @Ameer_Mukadam. I have some questions for you to try and help identify the problem.

Are you using Winlogbeat to ship Windows security event logs to Elasticsearch? If so, what version of Winlogbeat are you using?

If you execute the following query in Discover under the winlogbeat-* index pattern, do you see 5 or more events within the time window that you specified in the threshold rule? This is to check that the events are present in order to trigger your rule.


Does your rule look similar to my example in the screenshot below?

How have you configured the schedule for your rule? In my example below, I've set the interval to 5 minutes and the additional look-back time to 1 minute.

I'll keep an eye out for your response. Thanks

Yes my rule looks exactly the same. Tuned the schedule and it started working thank you very much.

Great! I'm glad you got it working :slightly_smiling_face: