Use Case: Monitoring Failed Login Attempts
Objective Detect and respond to multiple failed login attempts to identify potential brute force
attacks or unauthorized access attempts.
Data Sources
Windows Event Logs:
Firewall Logs:
Track network access and connections.
Active Directory (AD) Logs:
Event ID 4625: Failed logon.
Record login attempts and account lockouts.
Endpoint Logs:
Capture detailed information about activities on endpoints.
Detection Logic Identify patterns of multiple failed login attempts within a short time frame to
detect potential brute force attacks.
Steps to Implement and Test
1. Configure Data Collection
Ensure that your systems are configured to collect the necessary logs:
Windows Event Logs: Enable auditing for failed logon events.
Firewall Logs: Ensure that firewall logging is enabled to capture network
access.
AD Logs: Enable auditing for login attempts and account lockouts.
Endpoint Logs: Ensure that endpoint detection and response (EDR)
solutions are deployed and configured to log activities.
2. Define Thresholds
Establish a baseline for normal login attempts and define thresholds for failed
login attempts (e.g., 5 failed attempts within 10 minutes).
3. Set Up Monitoring and Alerts
Use a Security Information and Event Management (SIEM) system like Rapid7
IDR to monitor and correlate events:
Create Rules:
Rule 1: Detect Event ID 4625 (failed logon) and count occurrences
within the defined time frame.
Rule 2: Correlate firewall logs with failed login events to identify
network access patterns.
Rule 3: Monitor AD logs for account lockouts following multiple
failed login attempts.
Rule 4: Analyze endpoint logs for suspicious activities related to
failed login attempts.
Generate Alerts:
Configure Rapid7 IDR to generate alerts when these rules are
triggered.
Set up email or SMS notifications for immediate response.
4. Test the Detection Logic
Simulate Failed Login Attempts:
Perform multiple failed login attempts using a test account within a short
time frame.
Verify that the relevant events (4625) are logged.
Check if the Rapid7 IDR system generates the expected alerts.
Review Logs:
Analyze the event logs to ensure that the detection logic correctly
identifies multiple failed login attempts.
Adjust the correlation rules if necessary to reduce false positives.
5. Fine-Tune and Validate
Refine Rules:
Adjust the thresholds and conditions in the correlation rules based on
testing results.
Include additional context, such as user roles and historical login patterns,
to improve accuracy.
Continuous Monitoring:
Regularly review and update the detection rules to adapt to new threats
and changes in the environment.
Conduct periodic tests to validate the effectiveness of the detection logic.
Example Scenario
User Action: An attacker attempts to log in to a user account multiple times within a
short period.
Log Entries:
Windows logs Event ID 4625 for each failed logon attempt.
Firewall logs show network access from the attacker's IP address.
AD logs record the failed login attempts and any subsequent account lockouts.
Endpoint logs capture any related suspicious activities.
Alert Generation: The Rapid7 IDR system correlates these events and generates an
alert for multiple failed login attempts.
Tools and Resources
Rapid7 IDR Systems: Rapid7 IDR that supports log correlation and alerting.
Windows Event Viewer: To manually review and verify event logs.
Firewall Logs: Access logs from your firewall solution.
AD Logs: Review logs in Windows Event Viewer under "Security".
Endpoint Logs: Access logs from your EDR solution.
0
