Hi, I've created my own detection rule for employees failed login attempts. It does work but when signal comes to Security -> Detection dashboard, it do not show user.name or host.name.
This is screen shot of my rule:
Is there a way to update my rule that it would show user.name or host.name?
This is a screen shot of fired signal:
only if you use user.name or host.name in the group by and that is dependant on what you want to do
Usually group by host.name or source.ip (depending on the logs) so that you are looking from multiple failed logins from a device. If you look for multiple failed logins full stop you might lots of failed logins come monday morning at 9am for example. This is more for scatter of user names.
If you group by user.name then your looking more for brute force attempts.
Thank you @probson. I adjusted the detection rule according to your advice and I'll wait for the results.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.