Hello,
I am trying to alert on failed login attempts in two scenarios:
When multiple IPs try and log into the same email
When one IP tries to log into multiple emails
My search string for 1 is as follows:
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | transaction email maxspan=1000s | search eventcount > 5 | stats count(eval(client_ip)) as IPCount by email | where IPCount > 1
My search string for 2:
sourcetype="backend" | regex "User with email .* used an invalid password." | rex "User with email (?<email>.*) used an invalid password." | rex "client_ip=(?<client_ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" | transaction client_ip maxspan=1000s | search eventcount > 2 | stats values(email), count(eval(email)) as EmailCount by client_ip | where EmailCount > 1
Both of these alert on "per result." They work as expected (the first sends an email showing one email and multiple IPs); however, when I increase either where IPCount > x or where EmailCount > x to anything greater than 1, I start to receive a flood of emails where there's only a one to one relationship (one email one IP). The email also leaves the "values(email)" column blank.
How can I do a search/ alert to achieve my desired goal?
Thanks.
... View more