Hello,
I would like to create a rule where I can detect brute force attack
For example: in winlogbeat-* and auditbeat-* where event.action == logon-failed, aggregation by user.name , and if it's more than 10, it creates an alerts
My problem, is that I don't know how to make the aggregation by user.name
Could you tell me please which type of rule I can use, and is it possible to make aggregation or I can just do it by using watcher script
Thanks for your help !
Hey @TheHunter1 ,
You can use the threshold detection type for this. I put a similar example in this screenshot:
It's very close to the use case you're describing. You can just adjust the index patterns as you wish, as well as the logic (in my case it's looking for 10 or more attempts from the same source ip address, to the same host, with 5 or more unique user names.)
James
Thanks a lot for your answer @jamesspi ,
I configured it to look for 10 or more attemps from the same source.ip address to the same host and using the same user.name and it's working as expected :
I just have one more question.
After detecting the brute force, I would like to know more information about the alert (source.ip, user.name ..etc) in the email alerting
Could you tell me please how can I send those information in the email ?
Thanks for your help.
Hey @TheHunter1 ,
Glad that worked for you.
Usually, you would be able to use {{context.alerts}} for this, like so:
{{#context.alerts}}
User: {{user.name}}
Source IP: {{source.ip}}
{{/context.alerts}}
However, there is a bug in 7.12 at the moment which is preventing this for threshold alerts. The field names containing the results are different to the other alerts (as these are based on aggregations). A fix is coming ASAP!
Thanks,
James
Thanks a lot for much all these precious information 
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.