Hi, I'm trying to detect brute force activity by detecting multiple auth failures followed by success. I started with the following search which works and shows when there has been over 20 failures and at least 1 success, but the success can happen anywhere during the search period. It could be 1 success followed by 20 failures or the success can happen in the middle. index=main sourcetype="wineventlog" (EventCode=4624 OR EventCode=4625) Logon_Type IN (2,3,8,10,11) user!=*$
| bin _time span=5m as Time
| stats count(eval(match(Keywords,"Audit Failure"))) as Failed,
count(eval(match(Keywords,"Audit Success"))) as Success,
count(eval(match(lower(Status),"0xc0000224"))) as "PwChangeReq",
count(eval(match(lower(Sub_Status),"0xc0000071"))) as "Expired",
count(eval(match(lower(Status),"0xc0000234"))) as "Locked" by Time user src_ip
| where Success>0 AND Failed>=20 AND PwChangeReq=0 AND Locked=0 AND Expired=0 I need the query to only trigger if the success happens after 20 failures. I found some examples using streamstats so I created the following search but it's not working properly because the *reset_after* clears the failure_count for all src_ip. Therefore as long as there is 1 success from any IP address, the failure_count gets reset and I'm not seeing the failure count reach 20. index=main sourcetype="wineventlog" EventCode IN (4624,4625) Logon_Type IN (2,3,8,10,11)
| eval action=if(match(Keywords,"Audit Failure"),"failed","success")
| reverse
| streamstats window=0 current=true reset_after="("action==\"success\"")" count as failure_count by src_ip
| where action="success" and failure_count > 20
| table _time, user, src_ip, action, failure_count Is streamstats the way to go? Or how can I setup a query to detect the success after more than 20 failures?
... View more