This is my search for detecting brute force behavior-
index="wineventlog" sourcetype=wineventlog:security | stats dc(action) as Attempts, earliest(_time) as FirstAppearance
count(eval(match(action,"failure"))) as Failed,
count(eval(match(action,"success"))) as Success
max(eval(case(match(action,"failure"),_time))) as lastFailed
max(eval(case(match(action,"success"),_time))) as lastSuccess
values(src) as src by user
| where Attempts>1 AND Failed>100 AND Success>0
| where lastFailed < lastSuccess
Now what is happening it is taking cumulative of 100 as failures and if there is 1 success then it is triggering....
My question is how can i restrict it to 100 failures consecutive prior to 1-success i mean 1st event should not be success.
... View more