EQL - Rule creation

Rahulvanadavsi · August 9, 2022, 1:06pm

Hi,

We would like to create a use case for password spraying attack and Impossible travel activity in our environment.

Password Spraying Attack - Attacker tying to bruteforce using default passwords for multiple accounts.
Reference - Password Spraying Attack | OWASP Foundation

Impossible travel Activity - user successful login from multiple different location in short span
Reference - Create anomaly detection policies in Defender for Cloud Apps | Microsoft Docs

we would like to create EQL rule for the above cases.

Problem - the command that helps in alerting when different values in same Filed.
For example :
sequence by user_name
[ any where type == "Success"]with runs=2
[ any where ip == "*"](Here we need to capture different IP's exclude same IP's).

We are stuck at how to capture different values for the same field.

We are not using Machine learning currently.

sholzhauer · August 31, 2022, 9:10am

Currently this is not possible with EQL.

I'm not sure on the new "new terms" detection because i haven't been able to test it yet.

Topic		Replies	Views
EQL without pre defined field values SIEM eql-elastic-query-language	2	377	December 26, 2022
EQL - Alert on different values for the same field in a sequence Elastic Security	7	1226	November 4, 2022
Create a condition in EQL/ES\|QL query for alert Elastic Security	1	85	April 9, 2025
How to detect network scan using EQL Elasticsearch	5	2062	April 7, 2021
EQL Language trouble when creating custom rule Kibana detection-rules , eql-elastic-query-language	1	352	October 13, 2023

EQL - Rule creation

Related topics