The below search in ES is quite complex and we need to have it tuned. If the account expires on the weekend, like on a Saturday, when the user logs in on Monday it will tag the event as matching the rule and fire the alert. It does not allow for any grace time between the expiring date and the next log in date. This rule, as written, is creating too many (false positive) alerts.
What I would like to see is a 4 day grace period to account for weekends (including long weekends) UNLESS the number of attempts to log into the expired account >10. If >10 then fire the alert.
Suggestions?
ES default rule [Activity from Expired User Identity]:
(NOT sourcetype=stash) AND (src_user_endDate=* OR user_endDate=*) | mktime(src_user_endDate,"%m/%d/%y %H:%M") | mktime(user_endDate,"%m/%d/%y %H:%M") | search (user_endDate<time() OR src_user_endDate<time()) | eval users_description=case(isnotnull(user) AND isnotnull(src_user) AND src_user!=user AND user_endDate<time() AND src_user_endDate<time(), user." \ ".src_user, src_user_endDate<time() AND isnotnull(src_user), src_user, user_endDate<time() AND isnotnull(user), user) | get_event_id | map_notable_fields
... View more