Successful login after multiple attempts

Alert description

Successful Login after minimum 5 failed attempts on the same user in less than 10 minutes

Data sources needed

In order for the alert to be set, the following source needs to be collected in Cyberquest: - Windows Security Log with Logon audits enabled in GPO

![Alt Image](./alerts/succesful/../../succesful/Images/1.png)

Alert setup

1. Open Cyberquest web interface.

2. Go to Settings > Alerts > Realtime

3. Create a new alert, press Create new alert definition button.

4. Create the first Rule for identifying the Windows 4625 Failed Logon, press Add field condition button, select EventID = 4625

1. Add a second rule and press “Add correlation condition” button, select “UserName = Rule No. 1 UserName”.

1. Add rule 3 and select “Add correlated condition” (UserName = Rule No. 1 Username) and “Add field condition” (EventID = 4624).

1. Save Alert & Exit

Alert Object

To export the alert settings, click on Alert Object above.