Alerting

Multi destination brute force attempt rule

Communicator

Hi all,

I am trying to create a rule that alerts when one source IP/user tries to login in to several (more than one) different destinations/hosts but I'm struggling a bit with the syntax. I was wondering if anyone could help, this is what I've got so far:

| from datamodel:"Authentication"."Authentication"

| stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success, by src, user
| where failure>10
| streamstats sum(failure) as totalfails, values(user) as user, values(success) as success, values(failure) as failure by src
| stats list(failure) as fails, list(success) as success, list(user) as user, dc(user) as user
count by src, totalfails
| where user
count > 5

Any help is appreciated, thanks.

0 Karma

Esteemed Legend

Try this:

| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failure count(eval('action'=="success")) AS success BY src user
| multireport
   [ eventstats sum(failure) AS src_fails sum(success) AS src_successes list(user) AS users dc(user) AS user_count BY src ]
   [ eventstats sum(failure) AS user_fails sum(success) AS user_successes list(src) AS sources dc(src) AS src_count BY user ]
| where user_count > 5 OR src_count > 5

This keeps the raw events to examine but you can change the eventstats to stats to just keep the summary.

0 Karma

Communicator

Thanks for your answer, I gave it a go and it didn't do quite what I need it to do (definitely done better than my search though, I didn't even know multireport was a thing!)

My goal is to alert when a src has at least 3 failed login attempts to 3 different destinations. As if someone was on the network with a few passwords trying different machine after machine till they get in.

It's frying my brain.

0 Karma

Esteemed Legend

Try this:

| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failureCount count(eval('action'=="success")) AS successCount BY src user
| stats sum(failureCount) AS failureCount values(dst) AS destinations dc(dst) AS dstCount
| where failureCount>=3 AND dstCount>=3

I took you literally with destinations but maybe you meant users; if so s/dst/user/g

0 Karma