Signal - multiple login failure from same user

Please help me to create a signal for below logic.

Alert if there is more than 3 login failure from same user in last 5min.

I have mentioned below the watcher query written for same above logic.
“query”: {
“bool”: {
“must”: [ {
“query_string”: {
“fields”: [
“event.type”],
“query”: “failed login”
}},
{“range”:{
@timestamp”: { “gte”: “now-5m”}}}]
}},
“aggs”: {
“name”:{
“fields”: “user.name”,
“min_doc_count”: 3
}}}

Hi,

You could use a threshold rule:

Hopefully the image works. Query = event.code:4625 and field is user.name

Can also use EQL in 7.10 (my rule is filtering is looking more for remote login failures rather than monday morning people forgetting how to use a keyboard pre coffee)

sequence by source.ip with maxspan=300s
      [ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1"  and source.ip != null ] by user.name
      [ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name
      [ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name
2 Likes