Elastic SIEM - Detection Rules - Combination of Time-based, Threshold, Aggregation and Sequence Events

How to create rule to detect: "Successful Brute Force Attack"

(When more than 10 Windows logout events (ID 4625) occur AND followed by a Windows login event (ID 4624) on a same host) in 5 minutes timespan

Thresholds: Number of events : 10
Timespan : 5 minutes
Aggregation: Same host
Sequence: 4625 followed by 4624

Hi @tushar.bansal -

We've got just the rule type for you! Have you tried out EQL? To achieve what you asked you could create an EQL rule with the following query:

sequence by host.name with maxspan=5m
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4625 ]
  [ event_category_1 where id === 4624 ]

The docs do a pretty great job explaining the syntax but the above can be broken down as follows:

  • sequence by host.name - match a sequence of events where every event in the sequence shares the same host.name
  • with maxspan=5m - all events in the sequence must occur within a 5 minute timespan
  • [ event_category_1 where id === 4625 ] - would refer to the windows logout events you are looking for

Unfortunately, as of now there's no shorter syntax to say "look for x event to occur x times", however, there is an issue open for it. You're still able to accomplish what you like, it's just much longer syntax for now. Lots of awesome stuff that can be done with EQL! Here's a quick blog post introducing EQL:

Hope that helps!

2 Likes

Firstly, Thank you for your response @yctercero

I have explored EQL and Sequences in EQL. It has a lot of scope in Elastic SIEM ahead.

The link you shared for the issue is showing 404 error code.

Can you re-share the link please.

Will be looking for this issue to be resolved and the feature to be implemented.

Thanks!

However, @yctercero This was a generic example.

Instead if Say, I tweak the above query a little bit,

I want to detect {minimum 100 number of Identical event type X (not specified / not defined - it can be ANY random BUT IDENTICAL events) followed by another event Y (this can be specified say 4624 only)} on a same host in 5 minutes.

Basically any random 100 Similar events (can be 4625, 4626, 4628, anything) followed by a 4624 on same host in 5 minutes.

I cannot be writing 100 lines code for an unknown activity here.

How can this be achieved?

I think what you'd be looking for here is the match any condition. Like it mentions, something like file where true would match any file event.

If you don't mind me asking, in the scenario you mention, would you be looking to have access to all such 100 events or are you just interested in the aggregate?

@yctercero

100 might be a hypothetical number but the threshold I am looking for can be somewhere around 10 or 20 depending on the log source type. And as you mentioned match any condition would just be checking if the value in the field is present or not. But it does not solve the purpose of whether the field is identical or not.

And this question is not just for understanding how aggregation works in ELK, but I am actually interested and in need of this information/solution.
As given in the first example, in order to detect either a successful brute force attack or there are many other vendor based scenarios that can be similar and need this combination.

That is the reason for this thread. And can you kindly reshare the link related this issue.

Apologies, I realized the link is not working because the issue is still under active internal discussion. I'll be sure to circle back around when it makes its way to a Kibana feature request. I can assure you that your input is being considered and much appreciated!