for the query
Login Authentication
Condition 1: Count of failed login attempts for the same user account is greater than or equal to 5 within the last 2 minutes.
Condition 2: The failed login attempts originate from at least 3 different IP addresses.
Time Window: Last 15 minutes
Hello,
After reading your use case, Threshold rule might be better than custom query rule:
Threshold: Searches the defined indices and creates a detections alert when the number of times the specified field’s value is present and meets the threshold during a single execution. When multiple values meet the threshold, an alert is generated for each value.
Here are some more guidance of how to create a Threshold rule.
Thanks for the reply. Already done but I give KQL with event failure and group by single user and count related ip.
If I have to put time duration with 2 min ,how to put ?
I cant figure out because in event.duration if I give the value , wouldn't take as it does not understand the event start. So, if you resolve this problem for me ,it will be highly helpful.
If you've got event.duration field in the documents already. According to ECS, it's the difference in nanoseconds between event.start and event.end. Would filter with event.duration not working in this cases?
Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the difference between the end and start time.
If I specify event.start and event.end
it take time with date
if i have to create a rule totrigger an alert it must not be a specific date
only the duration ie 2 min
when i put event.duration : 120000 it does not take and give no logs
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.