I'm trying to write a use case to detect potentially suspicious activity based around 2FA attempt logs. Basically I want to look for 2FA failures where the same user had a "bad passcode", "request timed out" and "user cancelled" failure reason all within 5 minutes, since this behavior would correlate to some suspicious activity we've seen recently. I can't find much guidance for building this online though I suspect it can be achieved via the streamstats or transaction command.
Anyone have any clues on how this might be done?
sourcetype="2FA_logs"
result=FAILURE
reason="Invalid Passcode" OR reason="No response" OR reason="User cancelled"
alert --> any time a user has all three events in 5 minutes
username contains in the same sourcetype? If you username and reason/result are in different index/sourcetype then what is the common field value in order to match this ?
If you could provide sample event then it would be better.
It would all be from the same sourcetype, in this case "sourcetype=2FA_logs". Will work on grabbing some sanitized log examples.
then this query would work
sourcetype="2FA_logs"
result=FAILURE
reason="Invalid Passcode" OR reason="No response" OR reason="User cancelled" | stats dc(reason) as events by user | where events>=3
after this save this search as an alert and schedule it for every 5 min.
let me know if this helps!
My initial thoughts are, you should create a table with all your metrics, split by user. You should then assign a value to each metric, so yes=1 and no=0. You should then sum those values, and if the summed values equal the total number of metrics then it will clearly show the user affected.