Techniques
Sample rules
Failed Logon From Public IP
- source: sigma
- technicques:
- t1078
- t1133
- t1190
Description
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_ip_unknown:
IpAddress|contains: '-'
filter_main_local_ranges:
IpAddress|cidr:
- ::1/128
- 10.0.0.0/8
- 127.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- fc00::/7
- fe80::/10
selection:
EventID: 4625