I am trying to create an alert to monitor for brute force attempt behavior for both linux and windows systems using a multisearch to stack my queries. I currently use the following query for Linux but do not have a goto windows alert that works and had a hard time finding one on answers...
Linux system Brute Force query :
sourcetype="linux_secure" process=sshd "password for" | rex field=_raw "(?Accepted|Failed) password for (?\w+) from (?[0-9A-Fa-f:\.]+)" |eval success=if(result=="Failed",0,1), fail=if(result=="Failed",1,0) |stats range(_time) as range_secs sum(success) as success, sum(fail) as fail by host src |where fail!=0 |eval fail_rate_in_seconds=round(range_secs/fail,2) |where fail>10 AND success>0 | iplocation src |table host src success fail fail_rate_in_seconds Country
↧