Hi team,
I’m using OpenSearch 2.19.1 and trying to implement a brute force detection rule using Security Analytics feature. My goal is to trigger an alert when more than 20 failed login events occur within 5 minutes, grouped by the same IP address (azure.signinlogs.caller_ip_address).
I’ve created a custom rule as follows:
yaml : Currently using
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
logsource:
product: azure
title: Multiple Failed Logins From Same IP (Brute Force)
description: Multiple Failed Logins From Same IP (Brute Force)
tags:
falsepositives:
level: high
status: experimental
references:
author: sunil kumar
detection:
condition: Selection_1
Selection_1:
azure.signinlogs.result_type|contains:
- ‘500121’
aggregation:
type: count
field: azure.signinlogs.caller_ip_address
threshold: 20
timeframe: 5m
I created a detector using this rule, but I noticed that the rule triggers for every matching event, even when only 2 events are ingested in 5 minutes. The visual editor does not show any aggregation options, and I’m unsure how to enforce the grouping and threshold logic.
Questions:
-
How can I configure the detector to apply aggregation (e.g., count > 20 grouped by IP in 5 minutes)?
-
Is aggregation supported in custom rules or only in prepackaged ones?
-
Is there a workaround or YAML syntax to enforce this logic in 2.19.1?
Note: I tried working with alerting via a per-query execution monitor, and that setup works as expected. However, I want to achieve the same logic using the Security Analytics feature. Will this approach work, or is aggregation not supported in Security Analytics custom rules?
Any guidance or examples would be greatly appreciated.