2021-03-07 06:05 AM - edited 2021-03-07 06:20 AM
Hello Guys
i have copied the "Multiple Failed Logons from Same Source IP with Unique Usernames" ESA rule to drop some IP destinations,
and its working fine with dropping the IP Destinations but now its get triggered even if there is one event
all the changed are in Bold
VVV the rule code below VVV
SELECT * FROM
Event(
(ip_src NOT IN ('x.x.x.x'))
AND
medium = 32
AND
ec_activity = 'Logon'
AND
ec_theme = 'Authentication'
AND
ec_outcome = 'Failure'
AND
(ip_src IS NOT NULL OR device_ip IS NOT NULL)
AND
user_dst IS NOT NULL
).std:groupwin(ip_src, device_ip,user_dst).win:time_length_batch(180 seconds,7).std:unique(user_dst) GROUP BY ip_src, device_ip HAVING COUNT(*) = 7;
2021-07-22 07:06 AM
Hi Ahmad,
If you want to detect 7 login failures from the same user then your syntax is almost right, you just need to remove the unique clause:
SELECT * FROM
Event(
(ip_src NOT IN ('x.x.x.x'))
AND
medium = 32
AND
ec_activity = 'Logon'
AND
ec_theme = 'Authentication'
AND
ec_outcome = 'Failure'
AND
(ip_src IS NOT NULL OR device_ip IS NOT NULL)
AND
user_dst IS NOT NULL
).std:groupwin(ip_src, device_ip, user_dst)
.win:time_length_batch(180 seconds, 7)
GROUP BY ip_src, device_ip, user_dst
HAVING COUNT(*) = 7;
But in that case the name of the rule should no longer be:
"Multiple Failed Logons from Same Source IP with Unique Usernames"
It should be:
"Multiple Failed Logons from Same Source IP with Same Username"