I have several clients who’ve asked me how they can prevent a brute force attack inside their Windows Infrastructure. This is the use case for this blog post, a solution for which I’ve been studying using NetEye together with its SIEM module.
I’ve used a Windows client here, but it’s the same for any server in which I’ve installed Winlogbeat and configured it to send all security events to the Logstash component inside NetEye.
I’ve written previously about Winlogbeat and how to configure it here.
I’ve used Winlogbeat 7.4.2 for this configuration, under NetEye 4.10 with the SIEM module which includes Elastic Stack 7.4 Platinum Edition.
If I’ve set up multiple servers in order to reduce the number of installations of Winlogbeat clients per server, I can create a Windows Server collector and use WEF (Windows Events Forward), then configure all servers on my infrastructure to send security events to the collector.
When Logstash receives data, it loads Elasticsearch, where I can create a dashboard to show log-ons, log-offs, and failed log-ons using ECS-specified field names. To see the results, let’s open NetEye:
Then open Log Analytics and navigate to Elastic Stack:
Now we have a dashboard that shows failed log-on attempts:
To test this solution I‘ll try one of the common user names used in this type of attack (let’s pick TEST):
When we exceed the threshold of 10 attempts, we’ll find an alert on NetEye that could be used to send notifications to the NetEye Admin account via e-mail, SMS, Slack, telegram, etc. So now we just need to attach the alarms, one on the user account:
and one on the server account: