InsightIDR - Custom Account Lockout Alert

nowel · July 15, 2021, 5:48am

Hi Guys,

I trying to create a custom account lockout alert with the below consideration:

For every user/account that encounters >= 5 lockouts events in 24hrs, an alert will be sent.
something like: where(action=“ACCOUNT_LOCKED”) groupby(target_account) calculate(count>=5) timeslice(1d) //only those account who got >= 5 lockouts should be in scope; for duration lets just say every 24hrs

Is this something that can be readily created in the InsightIDR? Not really that good on query so any suggestions on how to do this is very much appreciated.

SDavis · July 15, 2021, 1:50pm

Hey Knowell,

So this type of “threshold” querying isn’t available in IDR Log search yet. It’s a very popular request that we have received and should be coming in the future. I don’t have a timeframe for it, but rest assured, it is on our radar.

nowel · July 16, 2021, 8:45am

Hi Stephen,

Thanks a lot for the information!

Hope this will be available soon as we got some similar queries that we want to implement but can’t readily do it.

SDavis · July 16, 2021, 12:20pm

My pleasure, Knowell!