EQL - Rule creation


We would like to create a use case for password spraying attack and Impossible travel activity in our environment.

Password Spraying Attack - Attacker tying to bruteforce using default passwords for multiple accounts.
Reference - Password Spraying Attack | OWASP Foundation

Impossible travel Activity - user successful login from multiple different location in short span
Reference - Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs

we would like to create EQL rule for the above cases.

Problem - the command that helps in alerting when different values in same Filed.
For example :
sequence by user_name
[ any where type == "Success"]with runs=2
[ any where ip == "*"](Here we need to capture different IP's exclude same IP's).

We are stuck at how to capture different values for the same field.

We are not using Machine learning currently.

1 Like

Currently this is not possible with EQL.

I'm not sure on the new "new terms" detection because i haven't been able to test it yet.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.