Getting Brute force alert

Hi team,
I have got 7 brute force alert signal, where all the attacker IP belongs to internal ips and victim is AD server. On further investigation, i have not found any bad credentials from the AD logs.
As per the workbook if more than 50 attempts are happening in 15 minutes than signal has to be generated. but the same should reflect on the AD as well. We have the account lockout policy in place. to block the account for 15 minutes after 3 failed attempts

Plz suggest how to investigate further.

image

Hi it.security_ae,

Can you please help us answer these questions.

Do you have AD(Adapter) IP address listed in the table under srcip column?

If not, are you forwarding logs of the system where AD (Adaper) is installed?

Target is $SrcIP (public/private) address of AD?

Regards,
Oceana

Hi

Do you have AD(Adapter) IP address listed in the table under srcip column? No

If not, are you forwarding logs of the system where AD (Adaper) is installed? yes, SYSMON, WIN-AUDIT logs forwarding.

Target is $SrcIP (public/private) address of AD? private 172.19.0.154

plz update on the case status.

Hi Team,
Can you share below screenshots with us:

  1. Signals page where this alert was raised

  2. Workbook and its output
    While you are on signals page, click on the workbook icon present on the signals page on the right hand side of your screen. Once you click, your workbook will open, where you find your query. Can you share screen shot of the workbook page with output?

  3. Connected signals graph for the same

Regards
Oceana

Hi team

  1. Signals page where this alert was raised

  1. Workbook and its output
    While you are on signals page, click on the workbook icon present on the signals page on the right hand side of your screen. Once you click, your workbook will open, where you find your query. Can you share screen shot of the workbook page with output?

  1. Connected signals graph for the same