Login Unknown User Formant Alert Rule

Question

HelloOur company very recently configured a Logpoint for ourself and a Customer.the Customer asked for a alert rule, to Alert us and them, whenever someone Attempts to login with a Unknown username format. To see those attempts and see if someone accidentally typed their Password in the username Field.  for this I created this rule (there is probably better ways to do this)-("source_address"="ip") -("source_address"="iü") -("user"="du*")  -("user"="MINWINPC") -("user"="ch*")  -("user"="firewall") -("user"="aa*")  -("user"="da*") -("user"="nu*") -("user"="su*") -("user"="la*")   -("user"="cba_anonymous") -("user"="ex*") "reason"="Unknown user name or bad password."  "event_category"="Logon" device_ip=ip or device_ip=ip The Rule ended up being pretty long, but it mostly works.The mostly being that it generates a lot of noise, because there is a lot of Alerts with user Null, so empty, these alerts seem to come from the DC itself.And I am trying to Exclude null from the search.I tried.-(“user”=”null”), -(“user”=”NULL”), -(“user”=”*”) and -(“user”=*)but none of them actually excluded null. Does anyone Know or have an idea on how to Exclude null results in a search, that would be a great help.Also open for more efficient ways for the rule since it is really loong haha.Thanks in advance Cheers Mike

Nils Krumey · Accepted Answer

Hi!Firstly, you should probably take a look at static and dynamic lists (https://docs.logpoint.com/docs/search-query-language/en/latest/Search%20Query%20Language/Simple%20Search.html#list) and either write something like -user IN [“aa*”,”ex*]or define the list and write -user IN USERLIST. Should make things easier.Secondly, you can’t match against null because it actually mean the field doesn’t exist in the log so there is nothing to compare, but you should be able to do the inverse and and ensure that you only find logs where the field DOES existby adding user=*after your -user=… query.And lastly, you might be able to do something with the eval process command and/or rex command for a regular expression if you want to create something more complex and flexible.

Mike Furrer · Answer

Thanks so much I will look at how to improve it further with your advice.
the user=* worked like a charm, now while I figure out how make it better in total It wont be as noisy.

Thank you so much.

Kind Regards Mike

Reply

Sign up

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Login to the community

Already a Partner or Customer? Login with your LogPoint Support credentials. Don‘t have a LogPoint Support account? Ask your local LogPoint Representative. Only visiting? Login with LinkedIn to gain read–access.

Scanning file for viruses.

This file cannot be downloaded