UTMStack
Replies: 2 comments
-
|
Hi!, thank youf ro reporting this. Having our engineer take a look now. Sorry for the delay. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Hello, this rule has been updated recently, could you confirm if the issue persists in the latest version? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The rule triggers alerts for every single matching event because the first cache block has minCount: 1, causing it to save the IP even on isolated events. This leads the second condition to frequently match if 5 similar events from that IP occurred in the past 4 minutes, resulting in constant alerts
UTM
Version 10.7.2
Rule version v1.0.2
severity: "Medium"
description: "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained."
solution: "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed.
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services."
category: "Potentially Malicious Activity"
tactic: "Brute Force"
dataTypes: ["wineventlog"]
reference:
frequency: 60
cache:
operator: "in"
value: 18456,201,203,204,4771,304,305,306,20187,20014,20078,20050,20049,20189,644,4740
timeLapse: 60
minCount: 1
save:
alias: "IPAddress"
operator: "=="
value: "{{.IPAddress}}"
operator: "in"
value: 18456,201,203,204,4771,304,305,306,20187,20014,20078,20050,20049,20189,644,4740
timeLapse: 240
minCount: 5
save:
alias: "SourceUser"
alias: "DestinationHost"
alias: "DestinationIP"
alias: "DestinationPort"
alias: "DestinationUser"
Regards,
Arun
Beta Was this translation helpful? Give feedback.
All reactions