Is there a way to get Password Spraying alert in InTrust to see devices instead of the domain controllers?

Trying to setup Password Spraying but it looks like it is only showing the IP of the Domain Controller.    Of course the domain controller is going to send this alert.  We want to catch computers trying to password spray not domain controller failed logins that feature has been available for years.

  • Hi Curtis,

    Sorry for delay. I also tried the rule. On one of member servers I emulated a malicious activity by trying to run a process under a number of existing users, and with a bad password. I've got the following email:

    InTrust Major alert - Potential password spraying (multiple failed logons for valid accounts) from ::ffff:

    There were at least 15 failed logons for valid accounts from source address ::ffff: within 60 seconds.
    The list of account names: Dummy.User1, Dummy.User2, Dummy.User3, Dummy.User4, Dummy.User5, Dummy.User6, Dummy.User7, Dummy.User8, Dummy.User9, Dummy.User10, Dummy.User11, Dummy.User12, Dummy.User13, Dummy.User14, Dummy.User15.

    Alert was generated on computer <DC name>.
    Alert was generated at Tue Feb 11 18:46:59 2020 (Tue Feb 11 10:46:59 2020 GMT).

    Yes, the alert comes from the DC, but the address corresponds to the device where the malicious activity's happened. So please clarify your conditions, and what do you expect, let's try to tune the rule in you environment.

  • Hi Curtis,

    One question about your environment. How many DCs do you have and if not one, do you send the rule to all DCs? In my lab I have 2 DCs, and I receive 2 alerts about the same attack, from the first one (Infrastructure master, RID master, PDC) I get the alert email with the IP of the second DC (BDC), and from the BDC I receive the alert email with the attacker device IP. Could you check please?