Brute Force Attack - Watcher using Windows Event id's

alerting

(suchand) #1

Hi,
Please share sample watcher to alert Brute Force Attack using windows Event id. (with throttling_period).
I need to show Source IP,Destination IP ,Computer name and User name in watcher history dashboard.


(Christian Dahlqvist) #2

You may get more feedback and guidance if you can detail exactly what the logic behind the watch need to be and what you have tried so far.


(suchand) #3

I need to alert if any unsuccessful login attempt happen. In the alert dashboard i would like to show Source IP,Destination IP,Username and Computer name.
Please have a look into the JSON scrip copied below. Here i am able to fetch only one field - computer_name.

{
"trigger": {
"schedule": {
"interval": "30s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-security-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-15m",
"to": "now"
}
}
},
{
"term": {
"event_id": "4648"
}
}
]
}
},
"aggs": {
"failed_name": {
"terms": {
"field": "computer_name"
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.aggregations.failed_name.buckets.3.doc_count": {
"gte": 3
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"level": "info",
"text": "Brute Force Attempt Behaviour Detected: {{ctx.payload.aggregations.failed_name.buckets.3}} "
}
}
}
}[quote="Christian_Dahlqvist, post:2, topic:99374, full:true"]
You may get more feedback and guidance if you can detail exactly what the logic behind the watch need to be and what you have tried so far.
[/quote]

waiting for your kind reply.


(suchand) #4

Can you help me to resolve the issue mentioned in my previous comment.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.