As an example, consider configuring an analytics rule that will detect brute force attack attempts.
A brute force attack is a method of cracking user accounts by guessing their passwords. The essence of the approach is sequential automated iteration over of all possible character combinations to determine the correct one.
After configuring the general settings, such as rule name, description, threat level, priority, triggered alert category, and timezone, several conditions were specified.
-
source = 'endpoint events log' AND logEventId = 4625 AND data MATCH 'Failure Reason:(\s*)Unknown user name or bad password.'
This condition performs a search of the endpoint event log for an event ID of 4625 corresponding to a failed account authorization attempt. The MATCH part of the condition specifies the reason for denied authorization as an invalid login or password.
For more details on event 4625, see the relevant documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625.
-
source = 'endpoint events log' AND logEventId = 4672
This condition performs a search of the endpoint event log for an event ID of 4672 corresponding to a successful authorization where special privileges are assigned to the current session.
For more details on event 4672, see the relevant documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672.
-
source = 'endpoint events log' AND logEventId = 4624
This condition performs a search of the endpoint event log for an event ID of 4624 corresponding to a successful user login to the system.
For more details on event 4624, see the relevant documentation: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624.