what you are trying to achieve is not possible directly from within the product today. We have heard this request from many customers however, and we have a ticket on the roadmap to deliver an experience around the concept of threshold alerting based on a key exceeding some value. See my other answer here Question on log search - #6 by david_smith
With that being said right now in the product you have the concept of pattern detection alerts, which does allow you to set a threshold of ‘if this happens X times in Y interval [X: 1-100, Y: 1-60 Minutes,Hours,Days]’
This threshold logic requires for a pattern to match exactly however, and currently you cannot introduce a variable (such as an IP address) into the equation.
We also have the concept of Change Detection alerts, this kind of alert gets a little closer to what you might want to achieve with existing functionality today.
With a change detection alert, you could build out your query to say
and then with your trigger logic you could fire an alert if the number of unique destination accounts’s were to Increase above a relative threshold. In order to know what threshold to set, you should look at the historical data.
I’ll show you an example:
Here after running this query against the Asset Authentication logset
where(“source_json.eventCode” = “4625”) calculate(unique:destination_account) timeslice(1h)
We can see how many unique accounts fail to logon over the last 7 day period.
Looking at the graph we can see the most unique accounts that failed to logon in a 1 hour period was 27, this was around 00:00 on the 17th April so if I use 27 as my highest baseline, then I’d want to make sure my change detection alert isn’t too sensitive to the typical fluctuations in the baseline. Looking at the same hour period 00:00-01:00 on the 10th April (7 days prior), I see 16 unique destination accounts
Now to configure a change detection alert to detect a potential password spray attack you might want to say, alert me if the number of unique accounts that fail to logon, increases by 500% above the norm, in the past hour, compared to the same hour last week. Using my example, we had 16 unique accounts fail to logon between 00:00-01:00 on the 10th April, and we had 27 unique accounts fail to logon during the same 1 hour period on the 17th April, so a threshold of 50% increase would be low enough to fire - whereas a threshold of 500% would mean 80+ unique accounts would have had to fail to logon in order for this alert to fire.
This would look something like this
Where you would need to manipulate the ‘Trigger Settings’ Section
Using the example I provided, we would need to see a 500% increase in failed logons to unique accounts in the last 1 hour compared to 1 week ago. Think of it like comparing 9-10am on a Monday with that same hour period from the prior Monday. So if there is a typical hum of activity on a particular day of the week and hour of the day, this change detection alert would fire if something outside of the relative range you configure.
This can be adjusted to be as granular as hour over hour. Comparing 09:00-10:00 with 10:00-11:00 for example. But that may not be the best option - it really depends on what the data looks like.
Similarly you could also leverage the change detection alert to alert on a potential port scan attack. Using something like where(direction=INBOUND)calculate(unique:destination_port) and base your trigger logic around what is expected vs abnormal.
One last thing, change detection alerts can be used for ANY calculate function, not just unique:
And it can be configured to alert on an Increase OR Decrease in the calculation, in the range of 1-500% and the intervals of time vary from Hour over Hour, to Week over Week.
I hope this helps. Let me know if you have further questions.