Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and failures_by_src_count_1h is above medium. The source is domain controllers which handle authentication requests from thousands of users. Any recommendations on safely tuning this correlation search.
I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failures_by_src_count_1h in authentication is above medium"
I want to replace this failures_by_src_count_1h from failures_by_user_count_1h but don't have an idea how to change this. Any help in this would be appreciated.
Do you want to get rid of 'Brute Force' attempts from Microsoft domain controllers or to create notable events only when the conceptual threshold is high or critical?
Herres one for username guessing attacks I put on gosplunk. In particular check the 2nd line.
| bin _time span=5m as minute
Try tweaking the timer as seen in the SPL. If youre analysing if it takes someone less than a minute to guess wrongly 4 times then theyre a terrible brute forcer.
Doing it in 5 minute blocks may help suppress some of those false positives.
https://gosplunk.com/detect-username-guessing-brute-force-attacks/
sourcetype=windows EventCode=4625 OR EventCode=4624
| bin _time span=5m as minute
| rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:"
| stats count(Keywords) as Attempts,
count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success by minute username
| where Failed>=4
| stats dc(username) as Total by minute
| where Total>5
I downvoted this post because op is asking about tuning a correlation search in es. not creating a brute force rule in core.