I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?
action= failed or success (login)
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5
Hi there @ecanmaster
Perhaps something like this might help you.
earliest=-11min@min latest=-1min@min your_main_search_here action="success" | stats count, latest(_time) AS lastLogin by user | eval timewindow=lastLogin - 600 | map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$" | stats count, latest(_time) AS "Latest Attempt" by user | convert ctime("Latest Attempt") | rename user AS "Compromised Account", count AS "loginAttempts" | where loginAttempts > 4
This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.
Could't tested it, hope it helps.
EDIT: Fixed. Thank you @DalJeanis