I want to create an alert that monitors 5+ authentication failures for VPN login within an hour, but I'm not sure how to get the alert to monitor for 5+ failures for any single user.
Here's an example log:
[2020-08-17 11:40:10,550] [IG Audit Writer] [INFO ] [IG.AUDIT] [AUD7505] [VPN_AD_Group/user] The Radius server ise_servers rejected authentication for user VPN_AD_Group/user.
@clwboscovs
Could you please tell me what is the user name in your log?
And is it already the user name is extracted into any field?
index=<your index> sourcetype=<your sourcetype> "The Radius server ise_servers rejected authentication"
| stats count by user
| where count > 5
index=yourindex rejected authentication
| rex "\s(?<user>[\w\/]+)\.$"
| stats count by user
| where count > 5
@clwboscovs
Could you please tell me what is the user name in your log?
And is it already the user name is extracted into any field?
index=<your index> sourcetype=<your sourcetype> "The Radius server ise_servers rejected authentication"
| stats count by user
| where count > 5
The field for the sourcetype is "user", so your solution works for me perfectly. Thank you!