Successful login after multiple attempts
Successful Login after minimum 5 failed attempts on the same user in less than 10 minutes
Data sources needed
In order for the alert to be set, the following source needs to be collected in Cyberquest: - Windows Security Log with Logon audits enabled in GPO
Open Cyberquest web interface.
Go to Settings > Alerts > Realtime
Create a new alert, press Create new alert definition button.
Create the first Rule for identifying the Windows 4625 Failed Logon, press Add field condition button, select EventID = 4625
- Add a second rule and press “Add correlation condition” button, select “UserName = Rule No. 1 UserName”.
- Add rule 3 and select “Add correlated condition” (UserName = Rule No. 1 Username) and “Add field condition” (EventID = 4624).
- Save Alert & Exit
To export the alert settings, click on Alert Object above.