Please help me to create a signal for below logic.
Alert if there is more than 3 login failure from same user in last 5min.
I have mentioned below the watcher query written for same above logic.
“query”: {
“bool”: {
“must”: [ {
“query_string”: {
“fields”: [
“event.type”],
“query”: “failed login”
}},
{“range”:{
“@timestamp”: { “gte”: “now-5m”}}}]
}},
“aggs”: {
“name”:{
“fields”: “user.name”,
“min_doc_count”: 3
}}}
Hi,
You could use a threshold rule:
Hopefully the image works. Query = event.code:4625 and field is user.name
Can also use EQL in 7.10 (my rule is filtering is looking more for remote login failures rather than monday morning people forgetting how to use a keyboard pre coffee)
sequence by source.ip with maxspan=300s
[ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name
[ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name
[ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.