From 7294cc4181973dc422baee39677d5ea369950c46 Mon Sep 17 00:00:00 2001
From: Joshua Wright <jwright@hasborg.com>
Date: Tue, 24 Dec 2019 11:09:45 -0500
Subject: [PATCH] Changed multiple failed login alert from 25 to 5 to more
 accurately reflect password spray attack evidence

---
 DeepBlue.ps1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/DeepBlue.ps1 b/DeepBlue.ps1
index 724a39c..c29da5e 100644
--- a/DeepBlue.ps1
+++ b/DeepBlue.ps1
@@ -46,7 +46,7 @@ function Main {
     #"Processing the " + $logname + " log..."
     $filter=Create-Filter $file $logname
     # Passworg guessing/spraying variables:
-    $maxfailedlogons=25 # Alert after this many failed logons
+    $maxfailedlogons=5 # Alert after this many failed logons
     $failedlogons=@{}   # HashTable of failed logons per user
     $totalfailedlogons=0 # Total number of failed logons (for all accounts)
     $totalfailedaccounts=0 # Total number of accounts with a failed logon