Getting Data In

"Brute Force Access Behavior Detected" from Microsoft domain controllers


Seeing lots of "Brute Force Access Behavior Detected" notable events coming from Microsoft domain controllers. The correlation search triggers when successful authentication >0 and failuresbysrccount1h is above medium. The source is domain controllers which handle authentication requests from thousands of users. Any recommendations on safely tuning this correlation search.

New Member

I don't want to see brute force from DC as this is of no use but instead from actual users, I am stuck at place where this extreme search is defined in the rule "xswhere failure from failuresbysrccount1h in authentication is above medium"

I want to replace this failuresbysrccount1h from failuresbyusercount1h but don't have an idea how to change this. Any help in this would be appreciated.

0 Karma


Do you want to get rid of 'Brute Force' attempts from Microsoft domain controllers or to create notable events only when the conceptual threshold is high or critical?

0 Karma


Herres one for username guessing attacks I put on gosplunk. In particular check the 2nd line.

| bin _time span=5m as minute

Try tweaking the timer as seen in the SPL. If youre analysing if it takes someone less than a minute to guess wrongly 4 times then theyre a terrible brute forcer.

Doing it in 5 minute blocks may help suppress some of those false positives.

sourcetype=windows EventCode=4625 OR EventCode=4624 
 | bin _time span=5m as minute 
 | rex "Security ID:\s*\w*\s*\w*\s*Account Name:\s*(?<username>.*)\s*Account Domain:" 
 | stats count(Keywords) as Attempts,
 count(eval(match(Keywords,"Audit Failure"))) as Failed,
 count(eval(match(Keywords,"Audit Success"))) as Success by minute username
 | where Failed>=4
 | stats dc(username) as Total by minute 
 | where Total>5
0 Karma


I downvoted this post because op is asking about tuning a correlation search in es. not creating a brute force rule in core.

0 Karma