Solved

Login Unknown User Formant Alert Rule

  • 1 June 2023
  • 2 replies
  • 89 views

Hello

Our company very recently configured a Logpoint for ourself and a Customer.
the Customer asked for a alert rule, to Alert us and them, whenever someone Attempts to login with a Unknown username format. To see those attempts and see if someone accidentally typed their Password in the username Field.

 

 

for this I created this rule (there is probably better ways to do this)

-("source_address"="ip") -("source_address"="iü") -("user"="du*")  -("user"="MINWINPC") -("user"="ch*")  -("user"="firewall") -("user"="aa*")  -("user"="da*") -("user"="nu*") -("user"="su*") -("user"="la*")   -("user"="cba_anonymous") -("user"="ex*") "reason"="Unknown user name or bad password."  "event_category"="Logon" device_ip=ip or device_ip=ip

 

The Rule ended up being pretty long, but it mostly works.
The mostly being that it generates a lot of noise, because there is a lot of Alerts with user Null, so empty, these alerts seem to come from the DC itself.
And I am trying to Exclude null from the search.
I tried.

-(“user”=”null”), -(“user”=”NULL”), -(“user”=”*”) and -(“user”=*)
but none of them actually excluded null.

 

Does anyone Know or have an idea on how to Exclude null results in a search, that would be a great help.
Also open for more efficient ways for the rule since it is really loong haha.

Thanks in advance Cheers Mike

icon

Best answer by Nils Krumey 1 June 2023, 07:44

View original

2 replies

Userlevel 4
Badge +7

Hi!

Firstly, you should probably take a look at static and dynamic lists (https://docs.logpoint.com/docs/search-query-language/en/latest/Search%20Query%20Language/Simple%20Search.html#list) and either write something like -user IN [“aa*”,”ex*] or define the list and write -user IN USERLIST. Should make things easier.

Secondly, you can’t match against null because it actually mean the field doesn’t exist in the log so there is nothing to compare, but you should be able to do the inverse and and ensure that you only find logs where the field DOES exist by adding user=* after your -user=… query.

And lastly, you might be able to do something with the eval process command and/or rex command for a regular expression if you want to create something more complex and flexible.

 

 

Thanks so much I will look at how to improve it further with your advice.
the user=* worked like a charm, now while I figure out how make it better in total It wont be as noisy.

Thank you so much.

Kind Regards Mike

Reply