Hi all,
I am trying to create a rule that alerts when one source IP/user tries to login in to several (more than one) different destinations/hosts but I'm struggling a bit with the syntax. I was wondering if anyone could help, this is what I've got so far:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) as tag,values(app) as app,count(eval('action'=="failure")) as failure,count(eval('action'=="success")) as success, by src, user
| where failure>10
| streamstats sum(failure) as total_fails, values(user) as user, values(success) as success, values(failure) as failure by src
| stats list(failure) as fails, list(success) as success, list(user) as user, dc(user) as user_count by src, total_fails
| where user_count > 5
Any help is appreciated, thanks.
Try this:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failure count(eval('action'=="success")) AS success BY src user
| multireport
[ eventstats sum(failure) AS src_fails sum(success) AS src_successes list(user) AS users dc(user) AS user_count BY src ]
[ eventstats sum(failure) AS user_fails sum(success) AS user_successes list(src) AS sources dc(src) AS src_count BY user ]
| where user_count > 5 OR src_count > 5
This keeps the raw events to examine but you can change the eventstats
to stats
to just keep the summary.
Thanks for your answer, I gave it a go and it didn't do quite what I need it to do (definitely done better than my search though, I didn't even know multireport was a thing!)
My goal is to alert when a src has at least 3 failed login attempts to 3 different destinations. As if someone was on the network with a few passwords trying different machine after machine till they get in.
It's frying my brain.
Try this:
| from datamodel:"Authentication"."Authentication"
| stats values(tag) AS tag values(app) AS app count(eval('action'=="failure")) AS failureCount count(eval('action'=="success")) AS successCount BY src user
| stats sum(failureCount) AS failureCount values(dst) AS destinations dc(dst) AS dstCount
| where failureCount>=3 AND dstCount>=3
I took you literally with destinations
but maybe you meant users
; if so s/dst/user/g