How to create a rule with aggregation

Hello,

I would like to create a rule where I can detect brute force attack
For example: in winlogbeat-* and auditbeat-* where event.action == logon-failed, aggregation by user.name , and if it's more than 10, it creates an alerts

My problem, is that I don't know how to make the aggregation by user.name

Could you tell me please which type of rule I can use, and is it possible to make aggregation or I can just do it by using watcher script

Thanks for your help !

Hey @TheHunter1 ,

You can use the threshold detection type for this. I put a similar example in this screenshot:

image (5)3570×2410 529 KB

It's very close to the use case you're describing. You can just adjust the index patterns as you wish, as well as the logic (in my case it's looking for 10 or more attempts from the same source ip address, to the same host, with 5 or more unique user names.)

James

Thanks a lot for your answer @jamesspi ,

I configured it to look for 10 or more attemps from the same source.ip address to the same host and using the same user.name and it's working as expected :

image999×541 52 KB

I just have one more question.
After detecting the brute force, I would like to know more information about the alert (source.ip, user.name ..etc) in the email alerting

image966×211 7.89 KB

Could you tell me please how can I send those information in the email ?
Thanks for your help.

Hey @TheHunter1 ,

Glad that worked for you.

Usually, you would be able to use {{context.alerts}} for this, like so:

{{#context.alerts}}
User: {{user.name}}
Source IP: {{source.ip}}
{{/context.alerts}}

However, there is a bug in 7.12 at the moment which is preventing this for threshold alerts. The field names containing the results are different to the other alerts (as these are based on aggregations). A fix is coming ASAP!

Thanks,
James

Thanks a lot for much all these precious information

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.