Update rules/windows/credential_access_bruteforce_admin_account.toml

Samirbous · Aegrah · web-flow · commit bd97ee1451ce · 2025-12-12T09:46:16.000Z
Co-authored-by: Ruben Groenewoud &lt;78494512+Aegrah@users.noreply.github.com&gt;
diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml
@@ -121,7 +121,7 @@ from logs-system.security*, logs-windows.forwarded*, winlogbeat-* metadata _id,
   not winlog.event_data.Status in ("0xc000015b", "0xc000005e", "0xc0000133", "0xc0000192", "0xc00000dc")
 // truncate the timestamp to a 60-second window
 | eval Esql.time_window = date_trunc(60 seconds, @timestamp)
-| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
+| stats Esql.failed_auth_count = COUNT(*), Esql.target_user_name_values = VALUES(winlog.event_data.TargetUserName), Esql.user_domain_values = VALUES(user.domain), Esql.error_codes = VALUES(winlog.event_data.Status), Esql.data_stream_namespace.values = VALUES(data_stream.namespace) by winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type
 | where Esql.failed_auth_count >= 50
 | KEEP winlog.computer_name, source.ip, Esql.time_window, winlog.logon.type, Esql.*
 '''
