Brute force protection in Nebula monitors the Windows Security Event Logs to create alerts or block offending IP addresses when the number of failed login attempts reaches the limit specified in the policy settings. In the case of the Remote Desktop Protocol (RDP), unsuccessful attempts are recorded under Audit Failure Event ID 4625 in the Windows Security Event Logs.
Note: Non-RDP related audit failures are also logged under Event ID 4625.
If Brute Force protection does not report RDP intrusion alerts to Nebula, verify your policy settings or check if Audit Failure Events are being logged on the Windows device.
Symptoms
Brute force protection not reporting RDP intrusion alerts to Nebula.
Environments
Windows endpoints
Cause
The login attempt threshold was not met, or Event ID 4625 is not being logged in the Windows Security Event Logs.
Resolution
First, verify the threshold is set appropriately within your policy settings. For more information, see Brute Force Protection policy settings in Nebula.
If the configured thresholds are acceptable, verify if RDP Logon attempts are being logged under Windows Security Event Logs.
- Check if you have any internal group policies in place that control the audit logging.
- Review an endpoint's existing logon logoff policy settings from an elevated command prompt with the following command:
auditpol /get /category:"Login/Logoff"
- For RDP, ensure the "Login" subcategory has failure monitoring enabled at the minimum. This can be enabled from an elevated command prompt with the following command:
auditpol /set /subcategory:"Logon" /failure:enable
- Once you have verified that Logon failure monitoring is enabled, review the Event Viewer Security logs. Filter for Event ID 4625 to verify Logon failures are being recorded. If you see events reported and the trigger rule was met, you should also see a detection reported to Nebula.
If the trigger rule in Nebula is set to block mode, you can review the temporary intrusion block rule under the local Windows Firewall inbound rules. After the trigger rule block time has expired, this rule will become automatically removed from the local Firewall and Nebula.