SIEM custom rule to generate an alert if multiple users attempts with same source IP or same mac address

I am trying to generate alerts using siem new rule if more than one user attempts with same source IP like vpn ip or vice versa ,so I want to know that It is possible or not via eql query or any kind of rule type If it is possible so plz suggest me how to write a query for above in vpn logs analysis. I am using free version of elk not paid version.

Hey @Priyanka_chauhan, I've never had to write any detections like that, but I'd try to explore this way:

  • Make sure your source events have some user fields that could be used to identify each user.
  • Create a building block rule that would be tracking those attempts (login attempts or whatever you need to track) and indexing "building block" (hidden) alerts for each attempt. This rule might be a simple Custom query rule or something more complex depending on your definition of an attempt.
  • Create a Threshold rule for grouping attempts by source IP / mac address and user id / name. Set its query to look at the building block alerts generated by the rule above. Set Group by to include source.ip, source.mac and any other attributes that would make sense to group by in your case. Set Count to a field that could identify the user, e.g. user.name >= 2.
  • One thing to keep in mind is that your threshold rule's schedule (interval + look-back time) will directly impact the number of generated alerts, because it will define the timeframe within which the rule will be looking for "multiple users doing the same thing".

Hope it helps!

Hi, Yes I have generated the alerts, I have to set this rule for generating alert for loop back time 30 days or 720 hrs and run after 1hr, One day its generated 1200 counts(alerts) after than rule is failed , error is showing too many counts, max clasue count limit 1024 exceed. so I have to remove this error for it I have to increase counts in Elasticsearch yml file. Or it can be done change in cluster setting

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.