Hi, I've created my own detection rule for employees failed login attempts. It does work but when signal comes to Security -> Detection dashboard, it do not show user.name or host.name.
This is screen shot of my rule:
Regards
Ema
only if you use user.name or host.name in the group by and that is dependant on what you want to do
Usually group by host.name or source.ip (depending on the logs) so that you are looking from multiple failed logins from a device. If you look for multiple failed logins full stop you might lots of failed logins come monday morning at 9am for example. This is more for scatter of user names.
If you group by user.name then your looking more for brute force attempts.
Thank you @probson. I adjusted the detection rule according to your advice and I'll wait for the results.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
