I am looking for successfull brute force logins
basically I am looking for 5 failed logings followed by 1 successfull login
I found the below search and it seems to be working, but it's just counting the fails and success,
there is no time sequence
it isnt looking for the first 5 failed loggings, it counts all the failed and succeefull logings
and then makes a count,
how can I add the time awareness (5 failed loggings followed by 1 successfull within 5 or 10 min)?
action= failed or success (login)
user= userid's
index=* | bucket _time span=30m | stats list(action) as Attempts, count(eval(match(action,"failure"))) as Failed, count(eval(match(action,"success"))) as Success by user | where mvcount(Attempts)>=6 AND Success=1 AND Failed>=5
Hi there @ecanmaster
Perhaps something like this might help you.
earliest=-11min@min latest=-1min@min your_main_search_here action="success"
| stats count, latest(_time) AS lastLogin by user
| eval timewindow=lastLogin - 600
| map maxsearches=100 search="your_main_search_here action="failure" earliest=$timewindow$ latest=$lastLogin$ user=$user$"
| stats count, latest(_time) AS "Latest Attempt" by user
| convert ctime("Latest Attempt")
| rename user AS "Compromised Account", count AS "loginAttempts"
| where loginAttempts > 4
This should search successful user logins in a 10 min window and if it finds one it goes back in time 10 min to find failed attempts in the last 10 minutes for each user/success login.
Could't tested it, hope it helps.
EDIT: Fixed. Thank you @DalJeanis
@alemarzu - looks good with one fix and one improvement...
1) latest=-11m@m earliest=-1m@m
2) No need to kill the field count
; it gets thrown away at the next command ( map
) anyway.
hmm,so for each successful login we go and execute?
isn’t more normal to search only when I see a fail, which are not so often as successful logins?
thanks
Thank you!