Rules referencing Microsoft-Windows-Security-Auditing Event ID 4625

Sigma (11)

Account Tampering - Suspicious Failed Logon Reasons severity medium T1078
Active Directory honeypot used for lateral movement severity high T1021
Brutforce enumeration on Windows OpenSSH server with non existing user severity high T1110
Brutforce enumeration with non existing users (login) severity high T1110
Brutforce on Windows OpenSSH server with valid users severity high T1110
Brutforce with denied access due to account restrictions policies severity medium T1078
Detection of default a Windows host name in login attempts severity medium T1564, T1564.006
Failed Logon From Public IP severity medium T1078, T1133, T1190
Hacktool Ruler severity high T1059, T1087, T1114, T1550, T1550.002
Metasploit SMB Authentication severity high T1021, T1021.002
Scanner PoC for CVE-2019-0708 RDP RCE Vuln severity high T1210

Elastic (6)

Multiple Logon Failure Followed by Logon Success severity medium T1110, T1110.001, T1110.003
Multiple Logon Failure from the same Source Address severity medium T1110, T1110.001, T1110.003
Potential Computer Account NTLM Relay Activity severity medium T1187, T1557, T1557.001
Potential Kerberos Relay Attack against a Computer Account severity high T1187, T1550, T1557, T1557.001
Potential NTLM Relay Attack against a Computer Account severity high T1187, T1557, T1557.001
Privileged Accounts Brute Force severity medium T1110, T1110.001, T1110.003

Splunk (15)

Kusto (13)

Brute force attack against user credentials (Uses Authentication Normalization) severity medium T1110
EatonForeseer - Unauthorized Logins severity high T1078
Excessive Windows Logon Failures severity low T1110
Failed host logons but success logon to AzureAD severity medium T1078, T1110
Failed logon attempts by valid accounts within 10 mins severity low T1110
Password Spray
Password Spraying severity medium T1110, T1110.003
Potential NTLM Relay Attack to Domain Controller
Potential Password Spray Attack (Uses Authentication Normalization) severity medium T1110
Potential Remote Desktop Tunneling severity medium T1572
SecurityEvent - Multiple authentication failures followed by a success severity low T1110
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) severity medium T1078, T1098
User login from different countries within 3 hours (Uses Authentication Normalization) severity high T1078

YARA-L (12)

ADFS DKM Key Access severity high T1552, T1552.004
GCP_Uunauthorized_GKE_Pod_Token_Endpoint_Usage T1550, T1550.001
GeoIP User Login From Multiple States Or Countries severity low
Logins From Terminated Employees severity medium T1078
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One severity medium T1110, T1110.001
MITRE ATT&CK T1110.001 Windows Repeated Authentication Failures Before Successful One With User Entity severity medium T1110, T1110.001
MITRE ATT&CK T1110.003 RW Windows Password Spray severity medium T1110, T1110.003
Okta Multiple Failed Requests To Access Applications severity medium T1550, T1550.004
sap break glass account login severity low T1078
sap impossible travel severity medium T1078
sap multi terminal logon severity medium T1078
Windows Short Term Account Use severity medium

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Microsoft-Windows-Security-Auditing Event ID 4625

Sigma (11)

Elastic (6)

Splunk (15)

Kusto (13)

YARA-L (12)

Keyboard shortcuts

Search operators