SigmaHQ/wazuh/rules/sigma_win_susp_failed_logon_source.yml

alert:
- debug
description: A login from a public IP can indicate a misconfigured firewall or network boundary.
filter:
- query:
    query_string:
      query: (data.win.system.eventID:"4625" AND (NOT ((src_ip_addr.keyword:*\-* OR src_ip_addr.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.*) OR src_ip_addr:"\:\:1" OR src_ip_addr.keyword:(fe80\:\:* OR fc00\:\:*)))))
index: wazuh-alerts-3.x-*
name: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1_0
priority: 3
realert:
  minutes: 0
type: any
123 2020-12-02 22:43:30 +00:00			`alert:`
			`- debug`
			`description: A login from a public IP can indicate a misconfigured firewall or network boundary.`
			`filter:`
			`- query:`
			`query_string:`
			`query: (data.win.system.eventID:"4625" AND (NOT ((src_ip_addr.keyword:\- OR src_ip_addr.keyword:(10.* OR 192.168.* OR 172.16.* OR 172.17.* OR 172.18.* OR 172.19.* OR 172.20.* OR 172.21.* OR 172.22.* OR 172.23.* OR 172.24.* OR 172.25.* OR 172.26.* OR 172.27.* OR 172.28.* OR 172.29.* OR 172.30.* OR 172.31.* OR 127.* OR 169.254.) OR src_ip_addr:"\:\:1" OR src_ip_addr.keyword:(fe80\:\: OR fc00\:\:*)))))`
			`index: wazuh-alerts-3.x-*`
			`name: f88e112a-21aa-44bd-9b01-6ee2a2bbbed1_0`
			`priority: 3`
			`realert:`
			`minutes: 0`
			`type: any`