I would like to create a rule where I can detect brute force attack
For example: in winlogbeat-* and auditbeat-* where event.action == logon-failed, aggregation by user.name , and if it's more than 10, it creates an alerts
My problem, is that I don't know how to make the aggregation by user.name
Could you tell me please which type of rule I can use, and is it possible to make aggregation or I can just do it by using watcher script
It's very close to the use case you're describing. You can just adjust the index patterns as you wish, as well as the logic (in my case it's looking for 10 or more attempts from the same source ip address, to the same host, with 5 or more unique user names.)
I configured it to look for 10 or more attemps from the same source.ip address to the same host and using the same user.name and it's working as expected :
I just have one more question.
After detecting the brute force, I would like to know more information about the alert (source.ip, user.name ..etc) in the email alerting
However, there is a bug in 7.12 at the moment which is preventing this for threshold alerts. The field names containing the results are different to the other alerts (as these are based on aggregations). A fix is coming ASAP!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.