Multisearch - Brute Force Attempts for both Linux and Windows

johnward4 — Tue, 24 Oct 2017 02:23:17 GMT

I am trying to create an alert to monitor for brute force attempt behavior for both linux and windows systems using a multisearch to stack my queries. I currently use the following query for Linux but do not have a goto windows alert that works and had a hard time finding one on answers...

Linux system Brute Force query :

sourcetype="linux_secure" process=sshd "password for" | rex field=_raw "(?<result>Accepted|Failed) password for (?<user>\w+) from (?<src>[0-9A-Fa-f:\.]+)" |eval success=if(result=="Failed",0,1), fail=if(result=="Failed",1,0) |stats range(_time) as range_secs sum(success) as success, sum(fail) as fail by host src |where fail!=0 |eval fail_rate_in_seconds=round(range_secs/fail,2) |where fail>10 AND success>0 | iplocation src |table host src success fail fail_rate_in_seconds Country

Re: Multisearch - Brute Force Attempts for both Linux and Windows

gcusello — Tue, 29 Sep 2020 16:24:16 GMT

Hi johnward4,
I suggest to use eventtype or tags:
create an eventtype for windows (e.g. win_log_fail tag=LOGFAIL)

index=wineventlog sourcetype=WinEventLog:Security (EventCode=4625 OR EventCode=529)

and an eventtype for linux (e.g. linux_log_fail tag=LOGFAIL)

index=linux sourcetype=linux "error: PAM: Authentication failure for "

so you can have in the same search both the results and you can count failures for each host without distinction between linux and windows:

tag=LOGFAIL
| ...

If you want to extract a field, you can do this for each sourcetype and then correlate them using coalesce function in eval command.

Bye.
Giuseppe

topic Multisearch - Brute Force Attempts for both Linux and Windows in Alerting

Multisearch - Brute Force Attempts for both Linux and Windows

Re: Multisearch - Brute Force Attempts for both Linux and Windows