Detection rules › Sigma
Failed Logon From Public IP
Detects a failed logon attempt from a public IP. A login from a public IP can indicate a misconfigured firewall or network boundary.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts, T1133 External Remote Services, T1190 Exploit Public-Facing Application |
| Persistence | T1078 Valid Accounts, T1133 External Remote Services |
| Privilege Escalation | T1078 Valid Accounts |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4625 | An account failed to log on. |
Stages and Predicates
Stage 1: selection
Stage 2: not 1 of filter_main_*
or:
IpAddress|cidr: '10.0.0.0/8'
IpAddress|cidr: '127.0.0.0/8'
IpAddress|cidr: '169.254.0.0/16'
IpAddress|cidr: '172.16.0.0/12'
IpAddress|cidr: '192.168.0.0/16'
IpAddress|cidr: '::1/128'
IpAddress|cidr: 'fc00::/7'
IpAddress|cidr: 'fe80::/10'
IpAddress|contains: -
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
IpAddress | cidr_match |
|
IpAddress | match |
|
Neighbors
Stricter alternatives (narrower than this rule)
The rules below may be useful if you find the current rule is too noisy / lacks specificity.
- Windows Multiple Users Failed To Authenticate From Process (adds 3 filters)
- Windows Multiple Users Remotely Failed To Authenticate From Host (adds 3 filters)
- Windows Unusual Count Of Users Failed To Authenticate From Process (adds 3 filters)
- Windows Unusual Count Of Users Remotely Failed To Auth From Host (adds 3 filters)