I’ve started getting a lot of auto-opened investigations from attempts to password spray my VPN. The investigations are always opened as “low” priority, because the attempts fail, but it creates a lot of unnecessary noise in my environment. Any recommendations on how to tune that particular rule?
Depending on your organization ingress map I would suggest to set up alerts if accesses from unexpected countries materialize, and at the same time create a brute force alert with a less noisy threshold
Are you able to block the offending IPs using your firewall? You might be able to use a feed of malicious IPs to block a lot, or make your own feed with a list generated from IDR or other sources.
I have the same problem when a user changes his password, and his VPN session continues to attempt connections, generating false positives. More than 300k logs coming from this issue