Threshold detection not working with group by

Hi All,

I am using Elastic version 7.12. I want to create a detection rule based on the threshold. My requirements is as follows.

Identify possible Bruteforce attack coming from same source IP. If there are more than 10 incidents of 4625 event log from same source IP, an alert should trigger.

For that I have configured a detection rule as below.

But when I run the preview results, it is giving zero. And when I inspect the response I see below.

{
"took": 8,
"timed_out": false,
"_shards": {
"total": 39,
"successful": 38,
"skipped": 38,
"failed": 1,
"failures": [
  {
    "shard": 0,
    "index": "winlogbeat-7.12.0-2021.05.28-000037",
    "node": "a5GvVwfnSL6vIY9IjCRsqw",
    "reason": {
      "type": "illegal_argument_exception",
      "reason": "'All others' is not an IP string literal."
    }
  }
]
},
"hits": {
"total": 0,
"max_score": 0,
"hits": []
 }
}

The query is as below.

      {
  "aggregations": {
    "eventActionGroup": {
      "terms": {
        "order": {
          "_count": "desc"
        },
        "size": 10,
        "field": "source.ip",
        "missing": "All others"
      },
      "aggs": {
        "events": {
          "date_histogram": {
            "field": "@timestamp",
            "fixed_interval": "112500ms",
            "min_doc_count": 10,
            "extended_bounds": {
              "min": 1622216794290,
              "max": 1622220394290
            }
          }
        }
      }
    }
  },
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "bool": {
                  "should": [
                    {
                      "match": {
                        "event.code": "4625"
                      }
                    }
                  ],
                  "minimum_should_match": 1
                }
              }
            ],
            "should": [],
            "must_not": []
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2021-05-28T15:46:34.290Z",
              "lte": "2021-05-28T16:46:34.290Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ]
    }
  },
  "size": 0
}

Could someone please help me to solve this issue.

Thanks.
Someunguy1026

Hey there @Billz1026 :wave:

So this is a known issue with Threshold Rules and the Preview functionality. Your detection rule should still function without issue though, so you can try creating your rule and observing the alerts generated. Please see the below two issues for all the details around this. :slightly_smiling_face:

Cheers!
Garrett

1 Like

Hi Garrett,

Thanks for the feedback.

BR,
Someunguy1026