Hi, I'm trying to detect brute force activity by detecting multiple auth failures followed by success. I started with the following search which works and shows when there has been over 20 failures...
See more...
Hi, I'm trying to detect brute force activity by detecting multiple auth failures followed by success. I started with the following search which works and shows when there has been over 20 failures and at least 1 success, but the success can happen anywhere during the search period. It could be 1 success followed by 20 failures or the success can happen in the middle. index=main sourcetype="wineventlog" (EventCode=4624 OR EventCode=4625) Logon_Type IN (2,3,8,10,11) user!=*$
| bin _time span=5m as Time
| stats count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success,
count(eval(match(lower(Status),"0xc0000224"))) as "PwChangeReq",
count(eval(match(lower(Sub_Status),"0xc0000071"))) as "Expired",
count(eval(match(lower(Status),"0xc0000234"))) as "Locked" by Time user src_ip
| where Success>0 AND Failed>=20 AND PwChangeReq=0 AND Locked=0 AND Expired=0 I need the query to only trigger if the success happens after 20 failures. I found some examples using streamstats so I created the following search but it's not working properly because the *reset_after* clears the failure_count for all src_ip. Therefore as long as there is 1 success from any IP address, the failure_count gets reset and I'm not seeing the failure count reach 20. index=main sourcetype="wineventlog" EventCode IN (4624,4625) Logon_Type IN (2,3,8,10,11)
| eval action=if(match(Keywords,"Audit Failure"),"failed","success")
| reverse
| streamstats window=0 current=true reset_after="("action==\"success\"")" count as failure_count by src_ip
| where action="success" and failure_count > 20
| table _time, user, src_ip, action, failure_count Is streamstats the way to go? Or how can I setup a query to detect the success after more than 20 failures?