Threshold rule

bex · June 21, 2023, 4:52am

Hello everyone

I would like to clarify.

For example, I am trying to add threshold rule against login failed attempt
If user failes more than 4 times, I should get an alert

From the picture above, I am grouping by "winlolg.event_data.ipAddress(source.ip)" and indicating the threshold to >=4.
Also indicated the count the "winlog.event_data.Substatus(wrong password)" >= 1

I think, should it be vise versa?
I think, the structure of the threshold rule is incorrect.
For example, it should be:
group by "winlolg.event_data.ipAddress(source.ip) >= unique values 1 and
count "winlog.event_data.Substatus(wrong password) " >= threshold 4

Can someone please help the right way?

warkolm · June 22, 2023, 4:19am

Yep that way makes more sense.

system · July 20, 2023, 4:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Brute Force Detection Rule Elastic Security	4	3515	June 3, 2021
Threshold detection not working with group by SIEM elastic-stack-alerting	3	785	June 28, 2021
Threshold Rule for Detecting Brute force Attacks Elastic Security	7	3277	November 4, 2022
Unable to create Threshold rule Elastic Security	2	249	November 16, 2022
SIEM Threshold - unique values SIEM	6	1360	September 29, 2020

Threshold rule

Related topics