How detect brutfoce if i have eventid 4625

[WiFi]

Colleagues, hello to all!
Help me please, I need to write a correlation rule which is based on Windows logs, eventid 4625, which detects password brute force. Conditions of firing more than 5 incorrect entered passwords within 30 seconds

[Olamilekan Abdullateef Ajani]

Hello Devsec,

You can create a custom rule similar to the one below to capture failed authentication in 30 seconds. Please note that the custom rule will be placed in the custom rule directory /var/ossec/etc/rules/

<group name="custom_rule">
  <rule id="108890" level="10" frequency="5" timeframe="30">
    <if_matched_sid>60122</if_matched_sid>
    <field name="win.system.eventID">^4625$</field>
    <description>Multiple Windows logon failures detected.</description>
    <options>no_full_log</options>
  </rule>
</group>

Bear in mind the Wazuh ruleset is flexible, and you can add more options to make your use case more granular. Please explore the ruleset syntax for further reference:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html

[WiFi]

Thank you for your response!
Could you tell me, the parent rule 60122 should be moved to local_rules with what arguments and in what form it should be, just like out of the box?
Also, I would like to clarify, we are making a timer for 5 attempts in 30 seconds, but how does the rule understand that it needs to track this particular user (that it is the user who is being attacked), and not collect data for the entire domain (a counter for the number of attempts for the entire domain, rather than for a single user)?

вторник, 5 августа 2025 г. в 20:31:14 UTC+3, Olamilekan Abdullateef Ajani:

[WiFi]

Also, please tell me how to disable rule 60122 so that it doesn't trigger an alert, but my rule still works.

вторник, 5 августа 2025 г. в 20:31:14 UTC+3, Olamilekan Abdullateef Ajani:

Hello Devsec,

[Olamilekan Abdullateef Ajani]

Hello Devsec,

For the rule I shared with you, you do not need to do anything to the rule 60122, as we only referenced it. I would not suggest disabling rule 60122, as it matches failed authentication events, which I feel are important in every environment.

If you still want to go that route, all you need to do is silence the event related to 60122 when ingested. You can follow this documentation on changing existing rules: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html#changing-existing-rules

<group name="custom_rule">
  <rule id="108890" level="10" frequency="5" timeframe="30">
    <if_matched_sid>60122</if_matched_sid>

    <same_field>win.eventdata.ipAddress</same_field>

    <description>Multiple Windows logon failures detected.</description>
    <options>no_full_log</options>
  </rule>
</group>

In the cleaned-up version of the rule above, the same_field option would track the interesting field in your use case, the example above would track where the repeated IP address matches the frequency specified. You ca customize this to your use case and match any field.

For further options, please check out the documentation below:

https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#same-field