Aggs in DSL

when I create a new rule in Custom query with DSL

for the query
Login Authentication
Condition 1: Count of failed login attempts for the same user account is greater than or equal to 5 within the last 2 minutes.
Condition 2: The failed login attempts originate from at least 3 different IP addresses.
Time Window: Last 15 minutes

I give

POST /_all /_search
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-15m/m"
}
}
},
{
"term": {
"event.code ": "4625"
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "user.name ",
"min_doc_count": 5
},
"aggs": {
"unique_ips": {
"cardinality": {
"field": "source.ip"
}
}
}
}
}
}

It give me positive value result in Dev Tools but I put the query in filter DSL ,it does not take any aggs .
How to figure out this

Hello,
After reading your use case, Threshold rule might be better than custom query rule:

Threshold: Searches the defined indices and creates a detections alert when the number of times the specified field’s value is present and meets the threshold during a single execution. When multiple values meet the threshold, an alert is generated for each value.

Here are some more guidance of how to create a Threshold rule.

Hope these help. Thank you.

Hi,

Thanks for the reply. Already done but I give KQL with event failure and group by single user and count related ip.

If I have to put time duration with 2 min ,how to put ?

I cant figure out because in event.duration if I give the value , wouldn't take as it does not understand the event start. So, if you resolve this problem for me ,it will be highly helpful.

You could consider organising the data before creating a rule:

I'd probably use ingest pipeline to create a duration field if you have start and end time in each document.

Group by single user or ip could be done by transform

is there any other way to give event.duration in KQL , So it can work

If you've got event.duration field in the documents already. According to ECS, it's the difference in nanoseconds between event.start and event.end. Would filter with event.duration not working in this cases?

Duration of the event in nanoseconds.

If event.start and event.end are known this value should be the difference between the end and start time.

type: long

If I specify event.start and event.end
it take time with date
if i have to create a rule totrigger an alert it must not be a specific date
only the duration ie 2 min

when i put event.duration : 120000 it does not take and give no logs

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.