Is there a way to get Password Spraying alert in InTrust to see devices instead of the domain controllers?

Trying to setup Password Spraying but it looks like it is only showing the IP of the Domain Controller. Of course the domain controller is going to send this alert. We want to catch computers trying to password spray not domain controller failed logins that feature has been available for years.

Parents

0 Igor.Ilyin over 4 years ago

Hi Curtis,

One question about your environment. How many DCs do you have and if not one, do you send the rule to all DCs? In my lab I have 2 DCs, and I receive 2 alerts about the same attack, from the first one (Infrastructure master, RID master, PDC) I get the alert email with the IP of the second DC (BDC), and from the BDC I receive the alert email with the attacker device IP. Could you check please?
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel

Reply

0 Igor.Ilyin over 4 years ago

Hi Curtis,

One question about your environment. How many DCs do you have and if not one, do you send the rule to all DCs? In my lab I have 2 DCs, and I receive 2 alerts about the same attack, from the first one (Infrastructure master, RID master, PDC) I get the alert email with the IP of the second DC (BDC), and from the BDC I receive the alert email with the attacker device IP. Could you check please?
Cancel
Up 0 Down

Reply

Verify Answer

Reject Answer

Cancel

Children

No Data