Neo23x0/sigma_correlation_failed_login_success.yml

## sigma_correlation_failed_login_success.yml
title: Correlation - Multiple Failed Logins Followed by Successful Login
id: b180ead8-d58f-40b2-ae54-c8940995b9b6
status: experimental
description: Detects multiple failed logins by a single user followed by a successful login of that user
references:
    - https://reference.com
author: Florian Roth (Nextron Systems)
date: 2023/06/16
correlation:
    type: temporal
    rules:
        - multiple_failed_logins  # We reference rules in the correlation rule file using their 'name,' a new field that simplifies the referencing process
        - successful_login
        # - e3592b98-1cae-4549-a12d-fb5893d32733 # (external) custom rule that can be referenced with its ID
    group-by:
        - User
    timespan: 10m
    ordered: true
falsepositives:
    - Users who have forgotten their passwords and make numerous attempts to guess them correctly
level: high
---
name: multiple_failed_logins
id: a8418a5a-5fc4-46b5-b23b-6c73beb19d41
description: Detects multiple failed logins within a certain amount of time
correlation:
    type: event_count
    rules:
        - failed_login
    group-by:
        - User
        - IpAddress
    timespan: 10m
    condition:
        gte: 10  # gte means "greater than or equal"
    fields:
        - WorkstationName
---
name: failed_login
id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
description: Detects a single failed login attempt on a Windows system
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 529
            - 4625
    condition: selection
---
name: successful_login
id: 4d0a2c83-c62c-4ed4-b475-c7e23a9269b8
description: Detects a successful login attempt on a Windows system
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID:
            - 528
            - 4624
    condition: selection
	title: Correlation - Multiple Failed Logins Followed by Successful Login
	id: b180ead8-d58f-40b2-ae54-c8940995b9b6
	status: experimental
	description: Detects multiple failed logins by a single user followed by a successful login of that user
	references:
	- https://reference.com
	author: Florian Roth (Nextron Systems)
	date: 2023/06/16
	correlation:
	type: temporal
	rules:
	- multiple_failed_logins # We reference rules in the correlation rule file using their 'name,' a new field that simplifies the referencing process
	- successful_login
	# - e3592b98-1cae-4549-a12d-fb5893d32733 # (external) custom rule that can be referenced with its ID
	group-by:
	- User
	timespan: 10m
	ordered: true
	falsepositives:
	- Users who have forgotten their passwords and make numerous attempts to guess them correctly
	level: high
	---
	name: multiple_failed_logins
	id: a8418a5a-5fc4-46b5-b23b-6c73beb19d41
	description: Detects multiple failed logins within a certain amount of time
	correlation:
	type: event_count
	rules:
	- failed_login
	group-by:
	- User
	- IpAddress
	timespan: 10m
	condition:
	gte: 10 # gte means "greater than or equal"
	fields:
	- WorkstationName
	---
	name: failed_login
	id: 53ba33fd-3a50-4468-a5ef-c583635cfa92
	description: Detects a single failed login attempt on a Windows system
	logsource:
	product: windows
	service: security
	detection:
	selection:
	EventID:
	- 529
	- 4625
	condition: selection
	---
	name: successful_login
	id: 4d0a2c83-c62c-4ed4-b475-c7e23a9269b8
	description: Detects a successful login attempt on a Windows system
	logsource:
	product: windows
	service: security
	detection:
	selection:
	EventID:
	- 528
	- 4624
	condition: selection