Skip to main content

meta:

   author = "XXX XXX"

    description = "Detects a successful logon immediately following multiple failed logon attempts from the same IP or user, using specific Windows Event IDs."

    severity = "High"

    priority="High"

    mitre = "T1110.001"

    yara_version = "YL2.0"

    tactic = "Credential Access"

    technique = "Brute Force"

 

  events:

    // Event 1: Failed authentication attempts from Windows logs (4625).

    $fail.metadata.event_type = "LOGIN_FAILED" and

    $fail.principal.asset.ip = $ip_address and

    $fail.target.user.userid = $user_id

   

 

    // Event 2: A single successful authentication from the same IP (Windows 4624).

    $success.metadata.event_type = "LOGIN_SUCCESS" and

    $success.principal.asset.ip = $ip_address and

    $success.target.user.userid = $user_id

 

 

  match:

    $ip_address, $user_id over 5m

 

  outcome:

    $failed_attempts = count($fail)

    $alert_type = array_distinct("Successful Brute Force Attack via Event IDs 4624/4625")

 

  condition:

    $success and $fail and $failed_attempts >=3

}


ERROR: 

  • validating intermediate representation: placeholder variable fail is not assigned to an event field or outcome valueline: 40 column: 31-35 LINE 40 = Outcome Not sure where Im making a mistake and what needs to be changed to run the rule, and this error is not letting me to save since there is a mistake

It looks like you’re trying to count $fail which isn’t actually assigned at any point so the aggregation isn’t working. Have a look at the aggregation functionality for SecOps: https://cloud.google.com/chronicle/docs/investigation/statistics-aggregations-in-udm-search

You probably want to replace  $failed_attempts = count($fail) with  $failed_attempts = count($fail.target.user.userid ), or something to that effect. Alternatively, you need to set the $fail variable at some point in order to aggregate it. 

@_K_O 
After changing this  $failed_attempts = count($fail.target.user.userid )

Now I’m getting this error

validating intermediate representation: got an invalid value for enum field "backstory.Metadata.EventType" line: 25 column: 33-39

Do you ahve any idea what is mean by -- backstory.Metadata.EventType

metadata.event_type is an enumerated field, so there are set options for it for you to choose from. You will need to change this line to USER_LOGIN and then from there look for other UDM fields - ex. the security_result fields to determine whether the login was successful or not

 

Because you are dealing with Windows logs, I would look at using metadata.product_event_type = "4625" and metadata.product_event_type = "4624"

I'm trying to exclude a specific domain (e.g., abc.com) from my alert rules, but it's not working because the alerts include special characters like &&&@abc.com or $$$@abc.com. How can I modify my rule to exclude these?"

Not particular to these email id 
Somegting looking the domain associated email.

!--startfragment>

// EXCLUDE UWM.COM: Check if the principal's email address does NOT end with "uwm.com".

not strings.iendswith($fail.principal.user.principal_email_address, "uwm.com")---DIDNT WORK

 not $fail.principal.hostname = /.+\.uwm\.com$/-- DIDNT WORK

 

!--endfragment>

Hi ​@spanuganti,

 

Does the below work:

$fail.principal.hostname != /@abc\.com$/

Kind Regards,

Ayman

@spanuganti have you tried extracting the domain using strings instead of regex? E.g.

$domain = strings.extract_domain($fail.principal.user.principal_email_address)

$domain != "uwm.com" nocase

@AymanC  I tried but didnt work. 

@_K_O  Thanks for the suggestion but I'm not sure where I’m making mistake somehow its not working..😕


 

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.