Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and failuresbysrccount1h is above medium. The source is domain controllers which handle authentication requests from thousands of users. Any recommendations on safely tuning this correlation search.
I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failuresbysrccount1h in authentication is above medium"
I want to replace this failuresbysrccount1h from failuresbyusercount1h but don't have an idea how to change this. Any help in this would be appreciated.
Herres one for username guessing attacks I put on gosplunk. In particular check the 2nd line.
| bin _time span=5m as minute
Try tweaking the timer as seen in the SPL. If youre analysing if it takes someone less than a minute to guess wrongly 4 times then theyre a terrible brute forcer.
Doing it in 5 minute blocks may help suppress some of those false positives.
sourcetype=windows EventCode=4625 OR EventCode=4624 | bin _time span=5m as minute | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" | stats count(Keywords) as Attempts, count(eval(match(Keywords,"Audit Failure"))) as Failed, count(eval(match(Keywords,"Audit Success"))) as Success by minute username | where Failed>=4 | stats dc(username) as Total by minute | where Total>5