Successful login after multiple attempts
Alert description
Successful Login after minimum 5 failed attempts on the same user in less than 10 minutes
Data sources needed
In order for the alert to be set, the following source needs to be collected in Cyberquest: - Windows Security Log with Logon audits enabled in GPO

Alert setup
-
Open Cyberquest web interface.
-
Go to Settings > Alerts > Realtime
-
Create a new alert, press Create new alert definition button.
-
Create the first Rule for identifying the Windows 4625 Failed Logon, press Add field condition button, select EventID = 4625
- Add a second rule and press “Add correlation condition” button, select “UserName = Rule No. 1 UserName”.
- Add rule 3 and select “Add correlated condition” (UserName = Rule No. 1 Username) and “Add field condition” (EventID = 4624).
- Save Alert & Exit
Alert Object
To export the alert settings, click on Alert Object above.