Convert rule to LEQL search

testuser · January 23, 2025, 10:02am

Threshold: Only once on match 100

Timeframe: 1 hour

Group matched data by:

source_ip
result

Detect on unique values of:

account

CopyWrap

	from(
	event_type = “ingress_auth”
	)
	where(
	result ICONTAINS “FAILED”
	AND
	service = “vpn”
	)

where(result ICONTAINS “FAILED” AND service=“vpn”)groupby(“source_ip”,“result”)calculate(unique(account))calculate(count)having(count > 100)limit(100)timeslice(1h)

I want to identify requests originating from the same source_ip where the result contains FAILED and where more than 100 requests have been made to the same account. Additionally, I need to determine which users and IP addresses were involved in these requests.
I tried to convert rule to LEQL search to find whole user but I didnt convert it. What am I missing here?

david_smith1 · January 23, 2025, 6:18pm

It should be calculate(unique:account)

the limit(n) is the number of groups, the default is 40. You can set it to a maximum of (20,000)

To actually show the users you would need to add additional groupby fields such as user or account

David