[Tuning] Windows BruteForce Rules Tuning

Samirbous · Samirbous · commit 126e68a1e143 · 2025-12-11T11:27:46.000Z
#1 Multiple Logon Failure from the same Source Address: converted to ES|QL and raised the threshold to 100 failed auths, alert quality should be better since it aggregates all failed auths info into one alert vs multiple EQL matches. (expected reduction more than 50%) #2 Privileged Account Brute Force - coverted to ESQL and set the threshold to 50 in a minute. this should drop noise volume by more than 50%.
diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ password, in an attempt to gain access to accounts.
 """
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Privileged Account Brute Force"
 note = """## Triage and analysis
@@ -103,16 +103,28 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
 ]
-type = "eql"
+type = "esql"
 
 query = '''
-sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and
-    event.action == "logon-failed" and winlog.logon.type : "Network" and
-    source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
-
-    /* noisy failure status codes often associated to authentication misconfiguration */
-    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
+from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
+| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and
+  winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and
+  not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and
+  to_lower(winlog.event_data.TargetUserName) like "*admin*"  and
+  /*
+    noisy failure status codes often associated to authentication misconfiguration
+     0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.
+     0XC000005E - There are currently no logon servers available to service the logon request.
+     0XC0000133 - Clocks between DC and other computer too far out of sync.
+     0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
+     0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.
+  */
+  not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
+// truncate the timestamp to a 60-second window
+| eval Esql.time_window = date_trunc(60 seconds, @timestamp)
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| where Esql.failed_auth_count >= 50
+| KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
 
 
diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/29"
 integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2025/11/14"
+updated_date = "2025/12/11"
 
 [transform]
 [[transform.osquery]]
@@ -39,7 +39,7 @@ to gain access to accounts.
 """
 from = "now-9m"
 index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
-language = "eql"
+language = "esql"
 license = "Elastic License v2"
 name = "Multiple Logon Failure from the same Source Address"
 note = """## Triage and analysis
@@ -117,24 +117,29 @@ tags = [
     "Resources: Investigation Guide",
     "Data Source: Windows Security Event Logs",
 ]
-type = "eql"
+timestamp_override = "event.ingested"
+type = "esql"
 
 query = '''
-sequence by winlog.computer_name, source.ip with maxspan=10s
-  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
-    /* event 4625 need to be logged */
-    winlog.logon.type : "Network" and
-    source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and
-    not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and
-
-    /*
-    noisy failure status codes often associated to authentication misconfiguration :
+from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id, _version, _index
+| where event.category == "authentication" and host.os.type == "windows" and event.action == "logon-failed" and
+  winlog.logon.type == "Network" and source.ip is not null and winlog.computer_name is not null and
+  not cidr_match(TO_IP(source.ip), "127.0.0.0/8", "::1") and
+  not user.name in ("ANONYMOUS LOGON", "-") and not user.name like "*$" and user.domain != "NT AUTHORITY" and
+  /*
+    noisy failure status codes often associated to authentication misconfiguration
      0xC000015B - The user has not been granted the requested logon type (also called the logon right) at this machine.
-     0XC000005E	- There are currently no logon servers available to service the logon request.
-     0XC0000133	- Clocks between DC and other computer too far out of sync.
-     0XC0000192	An attempt was made to logon, but the Netlogon service was not started.
-    */
-    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=10
+     0XC000005E - There are currently no logon servers available to service the logon request.
+     0XC0000133 - Clocks between DC and other computer too far out of sync.
+     0XC0000192 An attempt was made to logon, but the Netlogon service was not started.
+     0xc00000dc - DC is in shutdown phase, it will normally tell current clients to use another DC for authentication.
+  */
+  not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
+// truncate the timestamp to a 60-second window
+| eval Esql.time_window = date_trunc(60 seconds, @timestamp)
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| where Esql.failed_auth_count >= 100
+| KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
 
 
