I'm trying to create a watch that will run every hour that will look back for possible password spraying attempts. For those who don't know a password spray is taking one password and trying to login to many accounts with it. This method usually doesn't trigger any account lockouts. You can catch this by looking for many failed logins for different user accounts from the same source.
I have my query defined and I'm seeing all failed logins aggregated by workstation and username but not sure how to proceed next to have a condition if the doc_count for the user is higher than 10 for a single workstation then trigger and action.
Below is what I have so far and I'm very new to this so any suggestions would be very helpful!
POST _xpack/watcher/watch/_execute
{
"watch": {
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"indices" : [
"win-*"
],
"body": {
"size": 3,
"query": {
"bool": {
"must" : [{
"match" : {
"event_id" : "4625"
}
}, {
"range" : {
"@timestamp" : {
"gte" : "now-10m"
}
}
}]
}
},
"aggs" : {
"workstation" : {
"terms": {
"field" : "event_data.WorkstationName"
},
"aggs" : {
"user" : {
"terms": {
"field" : "event_data.TargetUserName"}}
}
}
}
}
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"text": "There are {{ctx.payload.hits.total}} documents in your index."
}
}
}
}
}