Hi
Is there a way to determine a slow and low attack from authentication logs? I have a situation where I have to alert on authentication failures for one user more than 2 in hour repeating.
base search .. action=failure|stats count by user|where count >2
Can you explain a bit more, please? What specifically do you mean by the word "repeating" in the last sentence?
There are a number of ways to flag S&L attacks, depending on how much in the way of resources you want to allocate to it. Let's assume that you are just trying to identify issues in retrospect, and that you want to identify when two failures occur from the same user or the same source IP within a one-hour period. You can run something like this...
base search .. action=failure
|fields user sourceIP
| streamstats timewindow=1h count as UserCount by user
| streamstats timewindow=1h count as IPCount by sourceIP
| where UserCount>1 OR IPCount>1
Then, depending on what you mean by "repeating", you can do some more analysis. The above will pass through the second (and subsequent) events in any given one-hour period. Supposing that you want ALL the events for analysis, including the first, then you can do this...
base search .. action=failure
|fields user sourceIP
| streamstats timewindow=1h count as UserCount by user
| streamstats timewindow=1h count as IPCount by sourceIP
| eventstats max(UserCount) as UserMax by User
| eventstats max(IPCount) as IPMax by sourceIP
| where UserMax>1 OR IPMax>1
Now every record for a User and every record for an IP is flagged if that User or IP ever had two records within an hour in the time period under analysis. Now, let's see how many hours they have that condition...
| bin _time span=1h
| eval rectype="detail"
| appendpipe
[|where (rectype=="detail")
| stats count as UserPulse by User _time
| eval rectype="User"
| eventstats count(UserPulse) as UserPulseCount, sum(UserPulse) as UserPulseTotal by User
]
| appendpipe
[|where (rectype=="detail")
| stats count as IPPulse by sourceIP _time
| eval rectype="sourceIP"
|eventstats count(IPPulse) as IPPulseCount, sum(IPPulse) as IPPulseTotal by sourceIP]
| where (rectype!="detail")
| fillnulls value=""
| sort 0 rectype sourceIP User _time
Can you explain a bit more, please? What specifically do you mean by the word "repeating" in the last sentence?
There are a number of ways to flag S&L attacks, depending on how much in the way of resources you want to allocate to it. Let's assume that you are just trying to identify issues in retrospect, and that you want to identify when two failures occur from the same user or the same source IP within a one-hour period. You can run something like this...
base search .. action=failure
|fields user sourceIP
| streamstats timewindow=1h count as UserCount by user
| streamstats timewindow=1h count as IPCount by sourceIP
| where UserCount>1 OR IPCount>1
Then, depending on what you mean by "repeating", you can do some more analysis. The above will pass through the second (and subsequent) events in any given one-hour period. Supposing that you want ALL the events for analysis, including the first, then you can do this...
base search .. action=failure
|fields user sourceIP
| streamstats timewindow=1h count as UserCount by user
| streamstats timewindow=1h count as IPCount by sourceIP
| eventstats max(UserCount) as UserMax by User
| eventstats max(IPCount) as IPMax by sourceIP
| where UserMax>1 OR IPMax>1
Now every record for a User and every record for an IP is flagged if that User or IP ever had two records within an hour in the time period under analysis. Now, let's see how many hours they have that condition...
| bin _time span=1h
| eval rectype="detail"
| appendpipe
[|where (rectype=="detail")
| stats count as UserPulse by User _time
| eval rectype="User"
| eventstats count(UserPulse) as UserPulseCount, sum(UserPulse) as UserPulseTotal by User
]
| appendpipe
[|where (rectype=="detail")
| stats count as IPPulse by sourceIP _time
| eval rectype="sourceIP"
|eventstats count(IPPulse) as IPPulseCount, sum(IPPulse) as IPPulseTotal by sourceIP]
| where (rectype!="detail")
| fillnulls value=""
| sort 0 rectype sourceIP User _time