Hi all,
I am writing a query to detect brute force attempts, where the username is different in each request.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count by clientip | search count >5 | sort count desc
This is giving me if someone has typed in same username within 2 mins, i want to avoid those. So i want to know if someone tried to login more than 5 times with different usernames from the same IP.
I tried my luck with dedup, but it doesn't seem to be working.
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | dedup username | stats count by clientip | search count >5 | sort count desc
Thank You
Pretty sure this will do what you want...
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats dc(clientip) AS "Client IP" values(username) AS "User Name" dc(username) AS "usernames" by clientip | where usernames > 5 | table clientip, "User Name"
Hi,
I don't have logfiles to recreate your scenario, so I can't test this, but would this work?
index=syslog username!="NULL" | transaction clientip maxspan=60m maxpause=2m | stats count as ipcount dc(username) as usercount by clientip | where ipcount>5 AND usercount>5
That would only catch cases where each login was tried with a different username though, perhaps usercount>3 or something would be nice.
Hth,
Kai.