feat(windows): detect multiple unknown-user failed logons from single source IP

[Tom3306]

PR Title:
feat(windows): detect multiple unknown-user failed logons from single source IP

PR Body:

Summary

This PR adds a Windows Security rule to detect repeated failed logons (EventID=4625) where the username does not exist (Status=0xC0000064) from the same source IP within a short period.

Why

This pattern is commonly associated with username enumeration and early brute-force attempts. The rule is intentionally conservative and marked status: test pending environment validation.

Rule Details

• Logsource: product: windows, service: security
• Core filters:
  • EventID: 4625
  • Status: 0xC0000064
  • LogonType: 2, 3, 10
• Excludes localhost/unknown IP values.
• Aggregation: count(TargetUserName) by IpAddress > 5 over 10m

False Positives

• Vulnerability scanning tools
• Misconfigured authentication scripts
• Authorized red-team/pentest activity

Validation

• Added anonymized positive/negative sample logs
• Added expected outcomes and validation plan

Checklist

• Rule passes Sigma lint/format checks
• ATT&CK tags verified
• Field names align with Sigma conventions
• Sample data reviewed and anonymized
• Detection logic tested in target backend
• Maintainer feedback addressed