Hello,
I would like to create a rule where I can detect brute force attack
For example: in winlogbeat-*
and auditbeat-*
where event.action
== logon-failed
, aggregation by user.name
, and if it's more than 10, it creates an alerts
My problem, is that I don't know how to make the aggregation by user.name
Could you tell me please which type of rule I can use, and is it possible to make aggregation or I can just do it by using watcher script
Thanks for your help !