You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Does some one found the way how to agregate with sigma rule ?
I tried simply to catch where user failed to logon 5 times per minute.
title: 'Windows failed logon(4625) 5 times per 1 minute'
id: ec9e3725-4037-4884-853a-a349c6c7e4f1
status: stable
description: Detects when there are multiple failed logon attempts (EventID 4625)within 60 seconds, regardless of target or source.
author: Name Surbame
date: 2024-12-13
references:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Does some one found the way how to agregate with sigma rule ?
I tried simply to catch where user failed to logon 5 times per minute.
title: 'Windows failed logon(4625) 5 times per 1 minute'
id: ec9e3725-4037-4884-853a-a349c6c7e4f1
status: stable
description: Detects when there are multiple failed logon attempts (EventID 4625)within 60 seconds, regardless of target or source.
author: Name Surbame
date: 2024-12-13
references:
logsource:
category: security
product: windows
detection:
selection:
EventID: 4625
condition: selection
aggregation_key: user.name
num_events: 5
timeframe:
minutes: 1
level: high
But it catching all single events. Even then i press convert it return only " any where event.code:"4625" like it want only single events
Beta Was this translation helpful? Give feedback.
All reactions