2 Replies Latest reply on May 16, 2019 8:46 AM by mlentoski

    Password Spraying Policy


      I'm brand new to LEM and I'm struggling to create a rule that would send an email notification after X failed login attempts originate from the same source machine in Y seconds. Is anyone using LEM to combat password spraying attacks? We're a Windows shop with

        • Re: Password Spraying Policy

          We use two rules, one for 20+ failures within 30 seconds from a single IP, and another for 40+ failures within 60 minutes from a single IP.  Here's what the first looks like:




          UserLogonFailure AND

          UserLogonFailure.DestinationAccount <> UserLogonFailure.DestinationMachine




          20 Events within 30 seconds

               Field: UserLogonFailure.SourceMachine   Modifier:SAME *

          Response Window 5 minutes


          * Click on the Gear/Clock icon to the right of "Events within" to access advanced settings.



          In truth, the first "UserLogonFailure" probably isn't necessary, but this was one of my first rules so I was still experimenting when I wrote it.

          1 of 1 people found this helpful