2 Replies Latest reply on May 16, 2019 8:46 AM by mlentoski

    Password Spraying Policy

    joshua-kreider

      I'm brand new to LEM and I'm struggling to create a rule that would send an email notification after X failed login attempts originate from the same source machine in Y seconds. Is anyone using LEM to combat password spraying attacks? We're a Windows shop with

        • Re: Password Spraying Policy
          billcurnow

          We use two rules, one for 20+ failures within 30 seconds from a single IP, and another for 40+ failures within 60 minutes from a single IP.  Here's what the first looks like:

           

          Correlations

           

          UserLogonFailure AND

          UserLogonFailure.DestinationAccount <> UserLogonFailure.DestinationMachine

           

          CorrelationTime

           

          20 Events within 30 seconds

               Field: UserLogonFailure.SourceMachine   Modifier:SAME *

          Response Window 5 minutes

           

          * Click on the Gear/Clock icon to the right of "Events within" to access advanced settings.

           

           

          In truth, the first "UserLogonFailure" probably isn't necessary, but this was one of my first rules so I was still experimenting when I wrote it.

          1 of 1 people found this helpful