Hello, team!
I am new to OpenSearch and currently exploring OpenSearch Security Analytics. I recently learned that correlation rules can be used to detect specific event scenarios. I would like to create a correlation rule to detect brute force attacks, but I am unable to find proper guidance or documentation on this topic.
Any assistance would be greatly appreciated.
Thank you.
Perhaps you mean detector rule and not correlation rule? If you are looking to monitor OpenSearch access, you can use a rule similar to the following:
id: QYPe15UB5r-c1stwT9Qd
logsource:
product: opensearch
title: test-detection-rule
description: >-
Detects multiple failed login attempts from the same user account or IP
address within a 5-minute window, indicating a potential brute force attack.
tags:
- attack.t1110
falsepositives:
- User mistyping password multiple times
level: medium
status: experimental
references: []
author: Security Analyst
detection:
selection:
audit_category: FAILED_LOGIN
condition: >-
selection | count(*) by audit_request_effective_user > 20 or selection |
count(*) by audit_request_remote_address > 20
timeframe: 5m
In the above case I manually created a logtype opensearch (Category: Access Management) and assigned this rule to a detector with data source of index security-auditlog-* which tracks failed login (amount other things).
This rule filters for documents where audit_category is "FAILED_LOGIN" (authentication failure events). It then uses a threshold condition to count events per user and per source IP. If any user (audit_request_effective_user) has more than 20 failed login events within a 5-minute span OR any IP address (audit_request_remote_address) has more than 20 such events in 5 minutes, the rule will trigger a security finding.
Of course in production system you would have to improve the sigma rule (condition) in order to reduce the false alerts, but this is a good starting point.
Regarding the correlation rule, these can be used to detect brute force attack by monitoring and comparing several indices, this might be useful if you are looking at a multi-event threat scenarios across multiple log sources. For example same ip attempting to gain access to different system. However applying this monitoring to raw log indices can be challenging. A better approach would be to apply monitoring on the “findings” generated by detectors which are stored in index named “.opensearch-sap--findings-”. You might need to enrich this data with additional fields by using the available field “related_doc_ids” which points to the original document that triggered the finding (in the above case in the security-auditlog-* index)
Hope this helps
1 Like