I'm trying to create a visualization that tells when an account is being attack with a distributed brute force kind of attack. IThe idea is to have (initially I tried with cloud tag but I ended up with data table), a place where I can see the account names of the users with failed logins with a count of 5 or more originating IPs.
For instance, if account_1 fails to login 10 times from the same IP, that would be irrelevant for this visualization and should not show. If account_2 fails to login 10 times but using 5 or more different IPs, that account name should appear in the visualization.
I do have logs parsed already which apply the tags and keywords:
- oip.keyword: which contains the originating IP
- account.keyword: which contains the account name of the user
- authentication_failed: which is a tag applied to the logs registiring a failed auth attempt
I'll show you what I have now, although it is not working as expected.
- I created a search which uses this to find the relevant logs "tags: authentication_failed AND exists: oip"
- I created a visualization of type "data table" based on the previous search.
- The visualization looks like this right now.
In this example, I would only like to see "email@example.com" as is the only account with login attempts using different IPs (I'm using 3 as the limit of different IPs being used for ease of testing, as i dont have access to more IPs right now to test from ). The account "test1", also had some failed login attempts, but those should not be relevant as they are made from the same IP.
Could you please give me a tip or advice on how to accomplish this? I've been trying different things for 3-4 hours now but I'm not being able to achieve what i need.