new: bruteforce detection for a single account based on Event 4625#6085
Open
Hydra2113 wants to merge 2 commits into
Open
new: bruteforce detection for a single account based on Event 4625#6085Hydra2113 wants to merge 2 commits into
Hydra2113 wants to merge 2 commits into
Conversation
Adds a Sigma correlation rule (event_count) that detects more than 4 failed logon attempts (EventID 4625) for a single account from a single source within a 5 minute window, grouped by TargetUserName, TargetDomainName and IpAddress. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
- Add required metadata (status, description, author, date, level) to the base rule - Rename file with the required 'correlation_' prefix Passes: sigma check --fail-on-error --fail-on-issues with the repo validation config. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
github-actions
Bot
added
Rules
Review Needed
Hydra2113
changed the title
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Welcome @Hydra2113 👋
It looks like this is your first pull request on the Sigma rules repository!
Please make sure to read the SigmaHQ conventions to make sure your contribution is adhering to best practices and has all the necessary elements in place for a successful approval.
Thanks again, and welcome to the Sigma community! 😃
If you want to engage more with the community for official support, general discussions or announcements:
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
Adds a new Sigma correlation rule (
event_count) that detects brute-force authentication against a single Windows account. It counts failed logon events (EventID 4625) grouped byTargetUserName,TargetDomainNameandIpAddress,and triggers when more than 4 failures occur for the same account from the same source within a 5-minute window. The purpose of this rule is to quickly get a base for detecting brute force activity on windows accounts and adjusting based on the noise in your specific environment.
The referenced base rule (
failed_logon_attempts_4625) is included in the same file via the---separator, as recommended when a base rule exists only to support a correlation rule.Validation performed locally:
python tests/test_logsource.py→ OKpython tests/test_rules.py→ OKsigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml <rule>→ 0 errors, 0 issuessigma convert -t splunk -p splunk_windows.Changelog
new: Brute Force Authentication Attempts For Single Account
Example Log Event
N/A. This PR adds a new rule and is not a false-positive fix. For reference, the detection consumes standard Windows Security 4625 (failed logon) events, e.g:
EventID: 4625
TargetUserName: jsmith
TargetDomainName: CORP
IpAddress: 10.10.5.23
LogonType: 3
Status: 0xC000006A
SigmaHQ Rule Creation Conventions
sigma checkagainst the repository's validation config).