Use Case: Monitoring Failed Login Attempts
Objective Detect and respond to multiple failed login attempts to identify potential brute force
attacks or unauthorized access attempts.
Data Sources

Windows Event Logs:


Firewall Logs:


Track network access and connections.
Active Directory (AD) Logs:


Event ID 4625: Failed logon.
Record login attempts and account lockouts.
Endpoint Logs:

Capture detailed information about activities on endpoints.
Detection Logic Identify patterns of multiple failed login attempts within a short time frame to
detect potential brute force attacks.
Steps to Implement and Test
1. Configure Data Collection

Ensure that your systems are configured to collect the necessary logs:

Windows Event Logs: Enable auditing for failed logon events.

Firewall Logs: Ensure that firewall logging is enabled to capture network
access.

AD Logs: Enable auditing for login attempts and account lockouts.

Endpoint Logs: Ensure that endpoint detection and response (EDR)
solutions are deployed and configured to log activities.
2. Define Thresholds

Establish a baseline for normal login attempts and define thresholds for failed
login attempts (e.g., 5 failed attempts within 10 minutes).
3. Set Up Monitoring and Alerts

Use a Security Information and Event Management (SIEM) system like Rapid7
IDR to monitor and correlate events:

Create Rules:

Rule 1: Detect Event ID 4625 (failed logon) and count occurrences
within the defined time frame.


Rule 2: Correlate firewall logs with failed login events to identify
network access patterns.

Rule 3: Monitor AD logs for account lockouts following multiple
failed login attempts.

Rule 4: Analyze endpoint logs for suspicious activities related to
failed login attempts.
Generate Alerts:

Configure Rapid7 IDR to generate alerts when these rules are
triggered.

Set up email or SMS notifications for immediate response.
4. Test the Detection Logic


Simulate Failed Login Attempts:

Perform multiple failed login attempts using a test account within a short
time frame.

Verify that the relevant events (4625) are logged.

Check if the Rapid7 IDR system generates the expected alerts.
Review Logs:

Analyze the event logs to ensure that the detection logic correctly
identifies multiple failed login attempts.

Adjust the correlation rules if necessary to reduce false positives.
5. Fine-Tune and Validate


Refine Rules:

Adjust the thresholds and conditions in the correlation rules based on
testing results.

Include additional context, such as user roles and historical login patterns,
to improve accuracy.
Continuous Monitoring:

Regularly review and update the detection rules to adapt to new threats
and changes in the environment.

Conduct periodic tests to validate the effectiveness of the detection logic.
Example Scenario

User Action: An attacker attempts to log in to a user account multiple times within a
short period.

Log Entries:


Windows logs Event ID 4625 for each failed logon attempt.

Firewall logs show network access from the attacker's IP address.

AD logs record the failed login attempts and any subsequent account lockouts.

Endpoint logs capture any related suspicious activities.
Alert Generation: The Rapid7 IDR system correlates these events and generates an
alert for multiple failed login attempts.
Tools and Resources

Rapid7 IDR Systems: Rapid7 IDR that supports log correlation and alerting.

Windows Event Viewer: To manually review and verify event logs.

Firewall Logs: Access logs from your firewall solution.

AD Logs: Review logs in Windows Event Viewer under "Security".

Endpoint Logs: Access logs from your EDR solution.