rw-access
commented
4 years ago Hello @janniten, I can't find the "Authentication Failed Events" rule in this repository. Is this a custom rule that you have in your stack?
Closed janniten closed 4 years ago
rw-access
commented
4 years ago Hello @janniten, I can't find the "Authentication Failed Events" rule in this repository. Is this a custom rule that you have in your stack?
janniten
commented
4 years ago Hi Ross, My apologies. Yes It was a (wrong) custom rule that I've created several days ago and I didn´t remember Sorry!
rw-access
commented
4 years ago No worries! And if you do have more questions like these when debugging your own rules, please feel free to make issues here or post questions in the #detection-rules channel of Elastic community slack and we'll do our best to help.
janniten
commented
4 years ago Thank you Ross, In the next days I'll be working with rules related to winlogbeat's security module events
The detection rule Authentication Failed Events is not using an allowed value for event.outcome
Description
Describe the bug The detection rule Authentication Failed Events is not using an allowed value for event.outcome https://www.elastic.co/guide/en/ecs/current/ecs-event.html
It is defined as event.category : "authentication" and event.outcome: "failed" and should be event.category : "authentication" and event.outcome: "failure"
Example Data