Update detections/network/windows_remote_desktop_network_bruteforce_attempt.yml

patel-bhavin · nasbench · web-flow · commit 15d12b81eed2 · 2025-02-11T10:04:24.000-08:00
Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml
@@ -4,7 +4,7 @@ version: 6
 date: '2025-01-10'
 author: Jose Hernandez, Bhavin Patel, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic identifies potential Remote Desktop Protocol (RDP) brute force attacks by monitoring network traffic for RDP application activity. This query detects potential RDP brute force attacks by identifying source IPs that have made more than 10 connection attempts to the same RDP port on a host within a one-hour window. The results are presented in a table that includes the source and destination IPs, destination port, number of attempts, and the times of the first and last connection attempts, helping to prioritize IPs based on the intensity of activity.
 data_source:
 - Sysmon EventID 3
