Question on log search

pete_jacob · October 15, 2020, 1:36pm

Hello! I am looking for a way in a log search to limit the source ip address, this is for an alert
I am creating.

here is an example:

if windows event XXX happens X amount of time within a certain time period and
the source ip is the same

anyone have any ideas how I would be able to do this?

felipe_legorreta · October 15, 2020, 2:34pm

Great question!
You can build your query in log search. Once you are getting the results you want you can save it.
Then, on Step 3 when creating your custom pattern detection alert, you can choose a saved query.

Next, to set the X amount of times before it alerts, you can do this on step 4 by clicking the custom match settings.

Let me know if this helps!

Regards,
Felipe

pete_jacob · October 15, 2020, 2:36pm

Hello! but how would I say “limit to the same source ip”. I want to know if certain windows events are coming from the same source ip.

david_smith · October 19, 2020, 11:58pm

This is possible via an InsightConnect workflow built from a custom alert trigger today see here, or by writing a custom script against our query API to essentially query for the data you desire on a regular interval, running a groupby(source_ip) for example, and then in the script you would check if the IP address appears more than X times. If so, trigger a log message to log search.

I have an example working script if this would be something you wish to explore, written in Python.

Also, if you wish to learn more about InsightConnect, see here https://www.rapid7.com/info/soc-automation/

pete_jacob · October 27, 2020, 4:35pm

Thanks David! I don’t have insightConnect, I am working to create an alert triggering for password spraying using the tools I have inside of IDR.

for example:
Configure alerts for >50 4625 events within 1 minute.
Configure alerts for >50 4771 events with failure code=0x18 within 1 minute.
Configure alerts for >100 4648 events on workstations within 1 minute.

All of these need to be the same source ip.

david_smith · October 27, 2020, 5:10pm

Hi Pete,

what you are talking about is not possible within the product using custom alerts today. We have a project slated for 2021 dedicated to building static thresholds and alerts using groupby functions.

With that being said it is possible to have a custom python script against our query API which would deliver the alerts you desire.

The script would need to run as a cron (scheduled task) and it would essentially poll for the data last seen in the last 30 mins (for example) and alert if any sourceIP address exceeds your static threshold.

I have an example python script that you could build upon if that is something you would like to explore.

Otherwise we will have to wait until some time next year when we build this functionality into the product.

The closest thing that exists within the product today is a change detection alert. With this you could detect an increase in failed logons, (increase or decrease in any calculation or pattern match query) with respect to some other time.

So an example would be, a change detection alert, with a trigger of where(source_json.eventCode=4625)calculate(unique:source_json.computerName)

you could fire an alert if you observed an increase of 500% in the last 1 hour with respect to the previous hour.

See change detection alert details here: https://docs.rapid7.com/insightidr/create-and-manage-custom-alerts#change-detection-alert

The limitation with these alerts are that you cannot perform a groupby, only a calculation. And also, it is a relative comparison, you cannot have a static threshold.

pete_jacob · October 27, 2020, 5:15pm

Thank you @david_smith. lmk when your working on this if I can be of any help.

also just to ask the question, would this be something that a regular expression could do?
I think no, but wanted to ask the question.

being able to detect password spraying is very high on our list and something that a pentester would do as an initial step. we have implemented strong password policies but would be amazing to to be able to detect!

david_smith · October 27, 2020, 5:30pm

Regex wouldn’t allow you to overcome this limitation, no.

However as I mentioned you can absolutely build a password spraying alert using a change detection alert as I previously outlined. And it should work, only thing is you cannot be very granular and set a static threshold. But if you ran a query for a typical day

where(result!=SUCCESS AND result)calculate(unique:computerName)timeslice(1s)

you would get an idea of what is normal, and then from that you can start to build your change detection alert and set the percentage increase threshold to something that makes sense.

for example, if the result of the above query shows you have no more than 10 failed log ons in a typical hour, then a change detection alert would allow you to trigger if 20 happened in one hour, by setting the trigger to fire when an increase of 100% is seen in the last hour, compared to one hour ago.

asmin_bhujel · April 21, 2021, 12:33pm

Hi Pete and David,

I’m looking the same query which you mentioned here.

Kindly help me and share if you found any way to indexing the alerts based on the source IP.
I’m struggling to create custom alert for password spray.

Thanks in advance.

matt_robinson · May 4, 2021, 12:17am

Regarding password spray, we’re trying something similar to some of the ideas mentioned above. However, we’re looking at failed logins over 1 day. We’re doing this so we detect low and slow attacks. Also, we typically see an increase in failed logins around the start of our business hours, so if we look at results in an hour we could have false positives every day. We still get false positives with what we’ve done, but generally so far only on company holidays (because the company will have much different numbers from a week after a holiday). Picture of trigger condition is below. We haven’t done many custom alerts - would appreciate anyone poking holes in it.

CustomAlert-PasswordSpray

david_smith · May 4, 2021, 12:43am

Hey Matt, I replied to Asmins similar post over here: Index with source IP address

I recommend you give it a read.

pete_jacob · May 4, 2021, 12:51am

this is great news, let me know how I can help.

tvogt · September 8, 2022, 1:27pm

Hello there,

are there any news @pete_jacob and @david_smith about the password spray detection in InsightIDR?

Greetings,
Thomas

pete_jacob · September 8, 2022, 1:39pm

hello, not to my knowledge. I feel pretty strongly that the plattform should be able to detect password spraying natively. Not talking about brute force.

david_smith · September 8, 2022, 3:40pm

@tvogt We are currently working towards building a new Custom Detection Rules feature which will allow users to build rules such as, alert me if there are 100 failed logons across 50 unique assets in 1 hour. This is expected to release into early access sometime in the next 6 months

David

dome · May 29, 2023, 3:30pm

Hi David,
is there any news regarding this release? This is a very useful feature and one that I have asked for several times in the past years.

Thanks

david_smith1 · May 30, 2023, 9:27am

Hi @dome we are currently in early access with this feature, we can get this enabled for your Org if you would like.

dome · May 30, 2023, 9:40am

Hi David,
yes, please, I need to enable this feature in 3 of my active customer OrgIDs, and in a POC I’m running. Is it possible?

Thanks

david_smith1 · May 30, 2023, 10:06am

@dome would you mind raising a support case so we can ensure we enable it for the correct accounts?

Feel free to reference this post

David

dome · May 30, 2023, 10:20am

Hi @david_smith1,
Case 04569865 already exists since yesterday, I’ll update it with the reference to this post.

Thank you