I found two cases where the ES correlated search "Brute Force Access Behavior Detected" is "invalid" for our purposes. They are both indicators that an AD account is locked out or disabled and are as follows:
Event Code = 4768
krb tgt request result code = 0x12 or 0x6
Now, I'm having some trouble with syntax for this (note that the datamodel expanded while I was working, and the changes I've made are reflected below the search:
So, my problem is... the rex is only valid for events with signature_id=4768. But I want to exclude explicitly those events.
I guess the question is two fold:
1) do I care about the efficiency of the rex, insomuch that I only want it to exercise against signatureid=4768? How do I do that?
2) I really only care about dealing with signatureid=4768 with krbTgtrequestresultcode is: 0x12 or 0x6. How do I do that?
Will it work if I do a single rex with two named capture groups, and then I can run a subsequent search for my inverse cases?