Skip to main content

author = "XXX XXX"

    description = "Detects a successful logon immediately following multiple failed logon attempts from the same IP or user, using specific Windows Event IDs."

    severity = "High"

    priority="High"

    mitre = "T1110.001"

    yara_version = "YL2.0"

    tactic = "Credential Access"

    technique = "Brute Force"

 

  events:

    // Event 1: Failed authentication attempts from Windows logs (4625).

    $fail.metadata.event_type = "LOGIN_FAILED" and

    $fail.principal.asset.ip = $ip_address and

    $fail.target.user.userid = $user_id

   

 

    // Event 2: A single successful authentication from the same IP (Windows 4624).

    $success.metadata.event_type = "LOGIN_SUCCESS" and

    $success.principal.asset.ip = $ip_address and

    $success.target.user.userid = $user_id

 

 

  match:

    $ip_address, $user_id over 5m

 

  outcome:

    $failed_attempts = count($fail)

    $alert_type = array_distinct("Successful Brute Force Attack via Event IDs 4624/4625")

 

  condition:

    $success and $fail and $failed_attempts >=3

}



Getting ERROR as 

  • validating intermediate representation: placeholder variable fail is not assigned to an event field or outcome valueline: 40 column: 31-35 Line 40 is the outcome.Could someone please help me out where I'm making mistakes and what needs to be change.

Couple of things. The metadata event type values are enumerated fields. I don’t believe that login failed and login success are in UDM for that field. USER_LOGIN is and then using security_results.actions with enumerated values like ALLOW, BLOCK, FAIL, etc would be the way to do that in a vendor agnostic way. Otherwise, you could  be vendor specific and probably use the metadata.product_event_type or other fields to describe it based on the logs you are using.

 

Once you have that squared away, you can’t use an event variable in the outcome section and say count that variable, you need to specify a field that you want to count. I like using metadata.event_type since every field has one of those since it is a required value so using count($fail.metadata.event_type) will count it and then use that output in the condition.

$fail.metadata.event_type = "USER_LOGIN" and

 

  After changing it to the above logic it worked and got some detections as wel.

Thanks so much guys for the help.. 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.