EQL - Rule creation

Rahulvanadavsi · August 9, 2022, 1:06pm

Hi,

We would like to create a use case for password spraying attack and Impossible travel activity in our environment.

Password Spraying Attack - Attacker tying to bruteforce using default passwords for multiple accounts.
Reference - Password Spraying Attack | OWASP Foundation

Impossible travel Activity - user successful login from multiple different location in short span
Reference - Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs

we would like to create EQL rule for the above cases.

Problem - the command that helps in alerting when different values in same Filed.
For example :
sequence by user_name
[ any where type == "Success"]with runs=2
[ any where ip == "*"](Here we need to capture different IP's exclude same IP's).

We are stuck at how to capture different values for the same field.

We are not using Machine learning currently.

sholzhauer · August 31, 2022, 9:10am

Currently this is not possible with EQL.

I'm not sure on the new "new terms" detection because i haven't been able to test it yet.

system · September 28, 2022, 9:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detection rule for password spraying attempts SIEM	3	1652	December 24, 2020
EQL - Alert on different values for the same field in a sequence Elastic Security	7	991	November 4, 2022
Event correlation rule for new user creation Elastic Agent elastic-stack-security	1	243	October 3, 2022
Threshold detection rule - limitation of group by fields SIEM	4	530	September 19, 2023
SIEM custom rule to generate an alert if multiple users attempts with same source IP or same mac address Elastic Security elastic-stack-alerting	3	820	December 30, 2021

EQL - Rule creation

Related topics