Signal - multiple login failure from same user

probson · November 16, 2020, 12:24pm

Hi,

You could use a threshold rule:

Hopefully the image works. Query = event.code:4625 and field is user.name

Can also use EQL in 7.10 (my rule is filtering is looking more for remote login failures rather than monday morning people forgetting how to use a keyboard pre coffee)

sequence by source.ip with maxspan=300s
      [ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1"  and source.ip != null ] by user.name
      [ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name
      [ authentication where event.action:"logon-failed" and source.ip != "127.0.0.1" and source.ip != null ] by user.name

Topic		Replies	Views
How to create alert for multiple login attemps (failed attempts) for every 10mins Elasticsearch elastic-stack-alerting	2	1435	June 7, 2019
Alerting for multiple login failed in 10 minutes Elasticsearch elastic-stack-alerting	3	869	June 10, 2019
Brute Force Detection Rule Elastic Security	4	4221	June 3, 2021
Successful authentication after 3 failures Elasticsearch elastic-stack-alerting	1	430	July 7, 2021
Watcher Threshold Script for Failed Logon Attempts Elasticsearch	1	402	April 2, 2020

Signal - multiple login failure from same user

Related topics