Credential Access (TA0006)(external, opens in a new tab or window)
text code block:sequence by winlog.computer_name, source.ip with maxspan=5s [authentication where host.os.type == "windows" and event.action == "logon-failed" and /* event 4625 need to be logged */ winlog.logon.type : "Network" and user.id != null and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and not winlog.event_data.TargetUserSid : "S-1-0-0" and not user.id : "S-1-0-0" and not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY" and /* noisy failure status codes often associated to authentication misconfiguration */ not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5 [authentication where host.os.type == "windows" and event.action == "logged-in" and /* event 4624 need to be logged */ winlog.logon.type : "Network" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and not user.name : ("ANONYMOUS LOGON", "-", "*$") and not user.domain == "NT AUTHORITY"]
Install detection rules in Elastic Security
Detect Multiple Logon Failure Followed by Logon Success in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).