2022-03-24 16:24:11 +01:00 · 2022-03-24 16:24:11 +01:00 · fa8aec5f2b
--- a/Rules/GitLab_BruteForce.yaml
+++ b/Rules/GitLab_BruteForce.yaml
@ -25,7 +25,7 @@ query: |
  let EndRunTime = StartTime - RunTime; 
  let EndLearningTime = StartTime + LearningPeriod;
  let GitLabFailedLogins = (GitLabApp
-  | where Message contains "Failed Login"
+  | where FailedLogin == 1
  | parse kind=regex Message with "Failed Login: username=" User "ip=" IpAddress 
  | project TimeGenerated, EventTime, Computer, User, HostName, HostIP, IpAddress);
  GitLabFailedLogins