This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Need Help regarding a query.

RSAAdmin
Beginner
Beginner

‎2015-09-12 12:04 PM

Hi,

 

I am trying to make a query to drill down  the brute force login events. The condition for the brute force event is 20 failed logins within a period of 60 seconds. I'm trying something like this


event.cat.name='User.Activity.Failed Logins' && duration.str = '60'


but of no results. Can somebody help me to make build such a query? Also it would be nice if you provide some references for mastering the query making.

 

Thanks in advance,

 

Mathews

 

 



4 REPLIES 4

Anonymous
Not applicable

‎2015-09-14 02:09 AM

Are you tryng to apply this is in ESA or in normal reporting engine rules?

 

Regards,

Deepanshu Sood.

0 Likes

RSAAdmin
Beginner
Beginner

‎2015-09-14 08:33 AM

Hi Mathews,

 

I guess you are trying this rule in Log decoder correlation option or Rules in reporting section.

 

If you want real time correlation you should create rules in ESA.

 

The rules in ESA looks something like this:

 

SELECT * FROM

 

EVENT (

event_category_name  LIKE '%User.Activity.Failed.logins%'

).win:time_length_batch(60 minutes,20).std:unique(ip_src)

;

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2015-09-16 11:00 PM

Hi,

I am trying this in ESA.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2015-09-16 11:08 PM

Hi Ajay,

 

Thanks for the reply. Co relation rules are already created in ESA but what I am trying is different. Please check the screenshot attached. I am trying to obtain the bruteforce events by applying queries.

 

 

query.PNG.png


0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.