Hey everyone,
Like the title says, I’m looking to build a query that will only return events over a specific number. As background, we’ve been seeing a number of password spray attacks against our org. We know the source ip range of most of these attacks, but I’m trying to search our logs to see if there are any more that haven’t generated alerts. However, I know that it’s common for users to accidentally type in the wrong password from time to time, so I’d like to exclude those from my search results.
So what I need is a query that will return all users with more than 2 login failures during a specific time frame. I know I can accomplish this by building a custom detection that will group matched data by key, but unless I’m missing something, there doesn’t seem to be a way to do that using a simple leql query. Do any of you know of a query that can do this? Or do I simply need to use the count function, and manually view the results for what I’m looking for?
Hello mhernandez, hope this answers what you’re looking for. Depending on your logs and event sources, you should be able to use a query such as
where(result=FAILED_BAD_PASSWORD or “FAILED_BAD_LOGIN”) groupby(user) having (count>2)
this is directly taken from the Rapid7 InsightIDR documentation. Components for Building a Query | InsightIDR Documentation
Use the sort and timeslice function and bar/tables as necessary to help better drill down or visualize the data you’re looking at.
Thank you so much!
1 Like