UTMStack
Replies: 2 comments 1 reply
-
|
Hi!, thank youf ro reporting this. Having our engineer take a look now. Sorry for the delay. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Hello, this rule has been updated recently, could you confirm if the issue persists in the latest version? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Hi, |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
The rule triggers alerts for every single matching event because the first cache block has minCount: 1, causing it to save the IP even on isolated events. This leads the second condition to frequently match if 5 similar events from that IP occurred in the past 4 minutes, resulting in constant alerts
UTM
Version 10.7.2
Rule version v1.0.2
severity: "Medium"
description: "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained."
solution: "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed.
Use multi-factor authentication. Where possible, also enable multi-factor authentication on externally facing services."
category: "Potentially Malicious Activity"
tactic: "Brute Force"
dataTypes: ["wineventlog"]
reference:
frequency: 60
cache:
operator: "in"
value: 18456,201,203,204,4771,304,305,306,20187,20014,20078,20050,20049,20189,644,4740
timeLapse: 60
minCount: 1
save:
alias: "IPAddress"
operator: "=="
value: "{{.IPAddress}}"
operator: "in"
value: 18456,201,203,204,4771,304,305,306,20187,20014,20078,20050,20049,20189,644,4740
timeLapse: 240
minCount: 5
save:
alias: "SourceUser"
alias: "DestinationHost"
alias: "DestinationIP"
alias: "DestinationPort"
alias: "DestinationUser"
Regards,
Arun
Beta Was this translation helpful? Give feedback.
All reactions