Cortex XDR - Brute force alert rule

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cortex XDR - Brute force alert rule

L2 Linker

Hi,

 

I need to create a brute force rule.

When endpoints with tag "CRITICAL" has "action_evtlog_description = An account failed to log on" and has more than 50 logs, create a CRITICAL alert.

 

Could you help pls.

 

Regards,

1 accepted solution

Accepted Solutions

Hi Ben,

 

Thank you for your help.

 

Did it with:

 

preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name)
//|alter actor_effective_username = action_evtlog_data_fields(to_json_string($.TargetUserName))
| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")
| alter ClientHostname = trim(json_extract(action_evtlog_data_fields, "$.WorkstationName"), "\"")
| alter ProcessName = trim(json_extract(action_evtlog_data_fields, "$.ProcessName"), "\"")
| fields agent_hostname, agent_ip_addresses, action_evtlog_description, TargetUserName, ClientHostname, insert_timestamp
| comp count(agent_hostname) as counter by agent_hostname,agent_ip_addresses,action_evtlog_description,TargetUserName,ClientHostname, insert_timestamp
| filter counter > 50

 

Regards,

Fábio

View solution in original post

2 REPLIES 2

L3 Networker

Hi FabioFerreira,

I would recommend following the instructions linked here to build a correlation rule. You could try using the below query as a template for creating the correlation rule.

config case_sensitive = false
|dataset = xdr_data
|filter agent_hostname in(dataset = endpoints |filter tags contains "CRITICAL" |fields endpoint_name)
|filter action_evtlog_description = "An account failed to log on"
|comp count() as failure_count by agent_hostname
|filter failure_count > 50

Regards,
Ben

Hi Ben,

 

Thank you for your help.

 

Did it with:

 

preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name)
//|alter actor_effective_username = action_evtlog_data_fields(to_json_string($.TargetUserName))
| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")
| alter ClientHostname = trim(json_extract(action_evtlog_data_fields, "$.WorkstationName"), "\"")
| alter ProcessName = trim(json_extract(action_evtlog_data_fields, "$.ProcessName"), "\"")
| fields agent_hostname, agent_ip_addresses, action_evtlog_description, TargetUserName, ClientHostname, insert_timestamp
| comp count(agent_hostname) as counter by agent_hostname,agent_ip_addresses,action_evtlog_description,TargetUserName,ClientHostname, insert_timestamp
| filter counter > 50

 

Regards,

Fábio

  • 1 accepted solution
  • 2118 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!