Question on log search

Hello! I am looking for a way in a log search to limit the source ip address, this is for an alert
I am creating.

here is an example:

if windows event XXX happens X amount of time within a certain time period and
the source ip is the same

anyone have any ideas how I would be able to do this?

Hello @pete_jacob,

Great question!
You can build your query in log search. Once you are getting the results you want you can save it.
Then, on Step 3 when creating your custom pattern detection alert, you can choose a saved query.

Next, to set the X amount of times before it alerts, you can do this on step 4 by clicking the custom match settings.
image

Let me know if this helps!

Regards,
Felipe

Hello! but how would I say “limit to the same source ip”. I want to know if certain windows events are coming from the same source ip.

This is possible via an InsightConnect workflow built from a custom alert trigger today see here, or by writing a custom script against our query API to essentially query for the data you desire on a regular interval, running a groupby(source_ip) for example, and then in the script you would check if the IP address appears more than X times. If so, trigger a log message to log search.

I have an example working script if this would be something you wish to explore, written in Python.

Also, if you wish to learn more about InsightConnect, see here https://www.rapid7.com/info/soc-automation/

Thanks David! I don’t have insightConnect, I am working to create an alert triggering for password spraying using the tools I have inside of IDR.

for example:
Configure alerts for >50 4625 events within 1 minute.
Configure alerts for >50 4771 events with failure code=0x18 within 1 minute.
Configure alerts for >100 4648 events on workstations within 1 minute.

All of these need to be the same source ip.

Hi Pete,

what you are talking about is not possible within the product using custom alerts today. We have a project slated for 2021 dedicated to building static thresholds and alerts using groupby functions.

With that being said it is possible to have a custom python script against our query API which would deliver the alerts you desire.

The script would need to run as a cron (scheduled task) and it would essentially poll for the data last seen in the last 30 mins (for example) and alert if any sourceIP address exceeds your static threshold.

I have an example python script that you could build upon if that is something you would like to explore.

Otherwise we will have to wait until some time next year when we build this functionality into the product.

The closest thing that exists within the product today is a change detection alert. With this you could detect an increase in failed logons, (increase or decrease in any calculation or pattern match query) with respect to some other time.

So an example would be, a change detection alert, with a trigger of where(source_json.eventCode=4625)calculate(unique:source_json.computerName)

you could fire an alert if you observed an increase of 500% in the last 1 hour with respect to the previous hour.

See change detection alert details here: https://docs.rapid7.com/insightidr/create-and-manage-custom-alerts#change-detection-alert

The limitation with these alerts are that you cannot perform a groupby, only a calculation. And also, it is a relative comparison, you cannot have a static threshold.

1 Like

Thank you @david_smith. lmk when your working on this if I can be of any help.

also just to ask the question, would this be something that a regular expression could do?
I think no, but wanted to ask the question.

being able to detect password spraying is very high on our list and something that a pentester would do as an initial step. we have implemented strong password policies but would be amazing to to be able to detect!

1 Like

Regex wouldn’t allow you to overcome this limitation, no.

However as I mentioned you can absolutely build a password spraying alert using a change detection alert as I previously outlined. And it should work, only thing is you cannot be very granular and set a static threshold. But if you ran a query for a typical day

where(result!=SUCCESS AND result)calculate(unique:computerName)timeslice(1s)

you would get an idea of what is normal, and then from that you can start to build your change detection alert and set the percentage increase threshold to something that makes sense.

for example, if the result of the above query shows you have no more than 10 failed log ons in a typical hour, then a change detection alert would allow you to trigger if 20 happened in one hour, by setting the trigger to fire when an increase of 100% is seen in the last hour, compared to one hour ago.

1 Like

Hi Pete and David,

I’m looking the same query which you mentioned here.

Kindly help me and share if you found any way to indexing the alerts based on the source IP.
I’m struggling to create custom alert for password spray.

Thanks in advance.

Regarding password spray, we’re trying something similar to some of the ideas mentioned above. However, we’re looking at failed logins over 1 day. We’re doing this so we detect low and slow attacks. Also, we typically see an increase in failed logins around the start of our business hours, so if we look at results in an hour we could have false positives every day. We still get false positives with what we’ve done, but generally so far only on company holidays (because the company will have much different numbers from a week after a holiday). Picture of trigger condition is below. We haven’t done many custom alerts - would appreciate anyone poking holes in it.

CustomAlert-PasswordSpray

Hey Matt, I replied to Asmins similar post over here: Index with source IP address

I recommend you give it a read.

this is great news, let me know how I can help.