Tune bruteforce correlation and drop unreliable PTH rule

[JocLRojas]

Detailed explanation of the changes

Modified —

• now also matches and , not just . Prevents cross-source false positives where unrelated failed logons against the same account were counted.
• extended with and .

Modified —

• Same scoping fix: 10 prior failures + success must share and .
• extended with .

Removed —

• Rule deleted from .

Reasoning behind these changes

The two Windows bruteforce correlation rules were grouping prior failed logons only by , so failures coming from unrelated sources against the same account were counted toward the same correlation window. This produced cross-source false positives and inflated alert volume without improving detection quality.

Scoping by and ensures the correlation only fires when the 10 prior failures (and, in the second rule, the subsequent success) actually come from the same source attacking the same user, which is the real bruteforce pattern we want to surface. Extending with the source fields further reduces duplicate alerts for the same source/target pair.

The Pass-the-Hash detection rule was removed because it produced a high false-positive rate on legitimate traffic.

Issue reference

N/A

[github-actions]

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output

🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

[github-actions]

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

✅ architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Updates to detection rules and removal of a deprecated rule; no architectural or agent-breaking changes.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Changed 'within' syntax from 'now-5m' to '5m', which may break the query engine if it expects absolute time ranges.

• medium rules/windows/bruteforce_attack.yml:30 — Changed 'within' from 'now-5m' to '5m'. If the underlying query engine requires an absolute time range (e.g., 'now-5m'), this will cause a runtime error or invalid query execution.
• medium rules/windows/bruteforce_multiple_logon_failure_followed_by_success.yml:30 — Changed 'within' from 'now-5m' to '5m'. If the underlying query engine requires an absolute time range (e.g., 'now-5m'), this will cause a runtime error or invalid query execution.

⚠️ security (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Removal of a security detection rule (Pass-the-Hash) and modification of brute-force rules.

• medium rules/windows/pass_the_hash_detection.yml:1 — The 'Pass-the-Hash' detection rule has been deleted. Removing security detection rules reduces the visibility of lateral movement attacks and should be justified by a replacement or deprecation policy.

[utmstackprapprover]

Changes requested — see approver comments above.

[utmstackprapprover]

Changes requested — see approver comments above.