2015-09-12 12:04 PM
Hi,
I am trying to make a query to drill down the brute force login events. The condition for the brute force event is 20 failed logins within a period of 60 seconds. I'm trying something like this
event.cat.name='User.Activity.Failed Logins' && duration.str = '60'
but of no results. Can somebody help me to make build such a query? Also it would be nice if you provide some references for mastering the query making.
Thanks in advance,
Mathews
2015-09-14 02:09 AM
Are you tryng to apply this is in ESA or in normal reporting engine rules?
Regards,
Deepanshu Sood.
2015-09-14 08:33 AM
Hi Mathews,
I guess you are trying this rule in Log decoder correlation option or Rules in reporting section.
If you want real time correlation you should create rules in ESA.
The rules in ESA looks something like this:
SELECT * FROM
EVENT (
event_category_name LIKE '%User.Activity.Failed.logins%'
).win:time_length_batch(60 minutes,20).std:unique(ip_src)
;
2015-09-16 11:00 PM
Hi,
I am trying this in ESA.
2015-09-16 11:08 PM
Hi Ajay,
Thanks for the reply. Co relation rules are already created in ESA but what I am trying is different. Please check the screenshot attached. I am trying to obtain the bruteforce events by applying queries.