Hello everyone,
I am creating custom detection rule that generates alert when user login with invalid credential more than 5 times within 30 min. I have login_time ( Datetime ).
For this I had written logic and using following:
group by : user_name
Set Threshold : This rule will detect only once on match 6.
Timeframe : 30 min.
But The logs we are receiving are not realtime, all yesterdays logs ingested in Rapid7 in a batch.
The Timeframe this rule should consider is login_time of that user. But it seems it is taking ingestion time and as logs are coming in batches ingestion time for all the logs is almost same and hence it may be generating false alert.
Is there anyway to use login_time to set threshold or any other way to full fill this requirement. Because even if I fetch only time from login_time it will not give me that rolling effect for 30 min as should start counting 30 min where user invalid login first time.