Hi All,
I am using Elastic version 7.12. I want to create a detection rule based on the threshold. My requirements is as follows.
Identify possible Bruteforce attack coming from same source IP. If there are more than 10 incidents of 4625 event log from same source IP, an alert should trigger.
For that I have configured a detection rule as below.
But when I run the preview results, it is giving zero. And when I inspect the response I see below.
{
"took": 8,
"timed_out": false,
"_shards": {
"total": 39,
"successful": 38,
"skipped": 38,
"failed": 1,
"failures": [
{
"shard": 0,
"index": "winlogbeat-7.12.0-2021.05.28-000037",
"node": "a5GvVwfnSL6vIY9IjCRsqw",
"reason": {
"type": "illegal_argument_exception",
"reason": "'All others' is not an IP string literal."
}
}
]
},
"hits": {
"total": 0,
"max_score": 0,
"hits": []
}
}
The query is as below.
{
"aggregations": {
"eventActionGroup": {
"terms": {
"order": {
"_count": "desc"
},
"size": 10,
"field": "source.ip",
"missing": "All others"
},
"aggs": {
"events": {
"date_histogram": {
"field": "@timestamp",
"fixed_interval": "112500ms",
"min_doc_count": 10,
"extended_bounds": {
"min": 1622216794290,
"max": 1622220394290
}
}
}
}
}
},
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"match": {
"event.code": "4625"
}
}
],
"minimum_should_match": 1
}
}
],
"should": [],
"must_not": []
}
},
{
"range": {
"@timestamp": {
"gte": "2021-05-28T15:46:34.290Z",
"lte": "2021-05-28T16:46:34.290Z",
"format": "strict_date_optional_time"
}
}
}
]
}
},
"size": 0
}
Could someone please help me to solve this issue.
Thanks.
Someunguy1026