Hi,
I would like to create a search query which will help me identify the users which had several failed logins followed by the successful login meaning that we take a case scenario of the account being compromised.
I did try may variations, but somehow the par “followed by” can’t be found.
If you already worked on such search, please share your experience and a search query!
Thanks in advance!
This is not possible within log search currently, you would need to write a script against the API to achieve this today, effectively looking for users with X login failures in Y minutes, followed by a successful login within a specific timeframe.
Hi @david_smith1,
If you could throw a ray of light regarding the script against the api to achieve this use case. Like how we can make use of script to generate the investigation if its achieved.
One thing you could do is create a custom detection rule which looks for excessive failed logins, x times in y minutes, and if it see’s for any given user that threshold being met, dynamically create another rule to look for a successful login. If the subsequent rule fires it means there was a string of failed logins, followed by a successful login.
This would effectively be a workaround for an existing feature we have but have not built custom rule creation for as of yet. This concept is call Multi Vector Detection rules, you can see we have built a few of these already by searching for the words followed by in the Detection Rules
We currently don’t have an ETA as to when these MVD rules will be exposed to allow customers to build them, so a workaround would be to use automation to chain together the output from rule A as an input for rule B.
David