Solved: Create alert for 5+ failed authentications for any...

clwboscovs · ‎08-17-2020

I want to create an alert that monitors 5+ authentication failures for VPN login within an hour, but I'm not sure how to get the alert to monitor for 5+ failures for any single user.

Here's an example log:

[2020-08-17 11:40:10,550] [IG Audit Writer] [INFO ] [IG.AUDIT] [AUD7505] [VPN_AD_Group/user] The Radius server ise_servers rejected authentication for user VPN_AD_Group/user.

impurush · ‎08-17-2020

@clwboscovs

Could you please tell me what is the user name in your log?
And is it already the user name is extracted into any field?

index=<your index> sourcetype=<your sourcetype> "The Radius server ise_servers rejected authentication"
| stats count by user
| where count > 5

View solution in original post

thambisetty · ‎08-17-2020

index=yourindex rejected authentication 
| rex "\s(?<user>[\w\/]+)\.$"
| stats count by user 
| where count > 5

————————————
If this helps, give a like below.

impurush · ‎08-17-2020

@clwboscovs

Could you please tell me what is the user name in your log?
And is it already the user name is extracted into any field?

index=<your index> sourcetype=<your sourcetype> "The Radius server ise_servers rejected authentication"
| stats count by user
| where count > 5

clwboscovs · ‎08-17-2020

The field for the sourcetype is "user", so your solution works for me perfectly. Thank you!

Create alert for 5+ failed authentications for any single user

alert condition

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...