sequence by winlog.computer_name, source.ip with maxspan=5s
[authentication where event.action == "logon-failed" and
/* event 4625 need to be logged */
winlog.logon.type : "Network" and user.id != null and
source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and
not winlog.event_data.TargetUserSid : "S-1-0-0" and not user.id : "S-1-0-0" and
not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and
/* noisy failure status codes often associated to authentication misconfiguration */
not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
[authentication where event.action == "logged-in" and
/* event 4624 need to be logged */
winlog.logon.type : "Network" and
source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and
not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY"]
Install detection rules in Elastic Security
Detect Multiple Logon Failure Followed by Logon Success in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).