I am new with Elastic and I have been searching to no avail. I am trying to create a SIEM rule for brute force. How do I write the query for this?
In Microsoft Sentinel, it will be
let threshold = 5;
TableName
| where EventID = 4025
| summarize
startime = max(TimeGenerated),
endtime = min(TimeGenerated),
count() as count by Username, EventID
Where count > 5
I am playing around with SIEM in Elastic but it seems to be catching every failed attempt which will be too noisy. Secondly, am I able to also aggregate alerts based on an entity; meaning one alert will be generated for user 1 and another alert for user 2 instead of 1 alert for user 1 + user 2.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.