How to create a rule with aggregation

Hello,

I would like to create a rule where I can detect brute force attack
For example: in winlogbeat-* and auditbeat-* where event.action == logon-failed, aggregation by user.name , and if it's more than 10, it creates an alerts

My problem, is that I don't know how to make the aggregation by user.name

Could you tell me please which type of rule I can use, and is it possible to make aggregation or I can just do it by using watcher script

Thanks for your help !

Hey @TheHunter1 ,

You can use the threshold detection type for this. I put a similar example in this screenshot:

It's very close to the use case you're describing. You can just adjust the index patterns as you wish, as well as the logic (in my case it's looking for 10 or more attempts from the same source ip address, to the same host, with 5 or more unique user names.)

James

2 Likes

Thanks a lot for your answer @jamesspi ,

I configured it to look for 10 or more attemps from the same source.ip address to the same host and using the same user.name and it's working as expected :

I just have one more question.
After detecting the brute force, I would like to know more information about the alert (source.ip, user.name ..etc) in the email alerting

Could you tell me please how can I send those information in the email ?
Thanks for your help.

Hey @TheHunter1 ,

Glad that worked for you.

Usually, you would be able to use {{context.alerts}} for this, like so:

{{#context.alerts}}
User: {{user.name}}
Source IP: {{source.ip}}
{{/context.alerts}}

However, there is a bug in 7.12 at the moment which is preventing this for threshold alerts. The field names containing the results are different to the other alerts (as these are based on aggregations). A fix is coming ASAP!

Thanks,
James

2 Likes

Thanks a lot for much all these precious information :blush: