Brute Force Attack - Watcher using Windows Event id's

Hi,
Please share sample watcher to alert Brute Force Attack using windows Event id. (with throttling_period).
I need to show Source IP,Destination IP ,Computer name and User name in watcher history dashboard.

You may get more feedback and guidance if you can detail exactly what the logic behind the watch need to be and what you have tried so far.

1 Like

I need to alert if any unsuccessful login attempt happen. In the alert dashboard i would like to show Source IP,Destination IP,Username and Computer name.
Please have a look into the JSON scrip copied below. Here i am able to fetch only one field - computer_name.

{
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-security-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-15m",
"to": "now"
}
}
},
{
"term": {
"event_id": "4648"
}
}
]
}
},
"aggs": {
"failed_name": {
"terms": {
"field": "computer_name"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.failed_name.buckets.3.doc_count": {
"gte": 3
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"level": "info",
"text": "Brute Force Attempt Behaviour Detected: {{ctx.payload.aggregations.failed_name.buckets.3}} "
}
}
}
}[quote="Christian_Dahlqvist, post:2, topic:99374, full:true"]
You may get more feedback and guidance if you can detail exactly what the logic behind the watch need to be and what you have tried so far.
[/quote]

waiting for your kind reply.

Can you help me to resolve the issue mentioned in my previous comment.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.