03-16-2023 10:21 AM
Hi,
I need to create a brute force rule.
When endpoints with tag "CRITICAL" has "action_evtlog_description = An account failed to log on" and has more than 50 logs, create a CRITICAL alert.
Could you help pls.
Regards,
03-17-2023 04:40 AM
Hi Ben,
Thank you for your help.
Did it with:
preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name)
//|alter actor_effective_username = action_evtlog_data_fields(to_json_string($.TargetUserName))
| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")
| alter ClientHostname = trim(json_extract(action_evtlog_data_fields, "$.WorkstationName"), "\"")
| alter ProcessName = trim(json_extract(action_evtlog_data_fields, "$.ProcessName"), "\"")
| fields agent_hostname, agent_ip_addresses, action_evtlog_description, TargetUserName, ClientHostname, insert_timestamp
| comp count(agent_hostname) as counter by agent_hostname,agent_ip_addresses,action_evtlog_description,TargetUserName,ClientHostname, insert_timestamp
| filter counter > 50
Regards,
Fábio
03-16-2023 12:23 PM
Hi FabioFerreira,
I would recommend following the instructions linked here to build a correlation rule. You could try using the below query as a template for creating the correlation rule.
config case_sensitive = false
|dataset = xdr_data
|filter agent_hostname in(dataset = endpoints |filter tags contains "CRITICAL" |fields endpoint_name)
|filter action_evtlog_description = "An account failed to log on"
|comp count() as failure_count by agent_hostname
|filter failure_count > 50
Regards,
Ben
03-17-2023 04:40 AM
Hi Ben,
Thank you for your help.
Did it with:
preset = xdr_event_log | filter action_evtlog_event_id = 4625 | filter agent_hostname in (dataset = endpoints | filter tags contains "CRITICAL" | fields endpoint_name)
//|alter actor_effective_username = action_evtlog_data_fields(to_json_string($.TargetUserName))
| alter TargetUserName = trim(json_extract(action_evtlog_data_fields, "$.TargetUserName"), "\"")
| alter ClientHostname = trim(json_extract(action_evtlog_data_fields, "$.WorkstationName"), "\"")
| alter ProcessName = trim(json_extract(action_evtlog_data_fields, "$.ProcessName"), "\"")
| fields agent_hostname, agent_ip_addresses, action_evtlog_description, TargetUserName, ClientHostname, insert_timestamp
| comp count(agent_hostname) as counter by agent_hostname,agent_ip_addresses,action_evtlog_description,TargetUserName,ClientHostname, insert_timestamp
| filter counter > 50
Regards,
Fábio
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
