How to make security Analytics Rule Detection

I’m trying to make a custom alert to detect login failure for AWS console
I write this YAML for Detection

–
selection_source:
eventSource: signin.amazonaws.com
event.outcome: failure
timeframe: 10m
num_event: 5
condition: selection_source

My detector’s interval is 10min so I want alert when it detect 5 login failure in 10min

I’m not familiar on YAML so if you have any idea to fix this problem please send me code

Hey @samkamiya

Instead of using Securioty Analytics have you tried to use the Alerting and create a monitor for login failure.
Perhaps something like this…

{
   "name": "Failed Logon",
   "type": "monitor",
   "monitor_type": "query_level_monitor",
   "enabled": true,
   "schedule": {
      "period": {
         "unit": "MINUTES",
         "interval": 1
      }
   },
   "inputs": [
      {
         "search": {
            "indices": [
               "winlogbeat"
            ],
            "query": {
               "size": 500,
               "query": {
                  "bool": {
                     "filter": [
                        {
                           "match_all": {
                              "boost": 1
                           }
                        },
                        {
                           "match_phrase": {
                              "event.original": {
                                 "query": "An account failed to logon",
                                 "slop": 0,
                                 "zero_terms_query": "NONE",
                                 "boost": 1
                              }
                           }
                        },
                        {
                           "match_phrase": {
                              "event.code": {
                                 "query": "4625",
                                 "slop": 0,
                                 "zero_terms_query": "NONE",
                                 "boost": 1
                              }
                           }
                        },
                        {
                           "exists": {
                              "field": "winlog.channel",
                              "boost": 1
                           }
                        },
                        {
                           "exists": {
                              "field": "winlog.event_data.TargetUserName",
                              "boost": 1
                           }
                        },
                        {
                           "exists": {
                              "field": "host.name",
                              "boost": 1
                           }
                        },
                        {
                           "exists": {
                              "field": "event.outcome",
                              "boost": 1
                           }
                        },
                        {
                           "range": {
                              "@timestamp": {
                                 "from": "now-10m",
                                 "to": null,
                                 "include_lower": true,
                                 "include_upper": true,
                                 "boost": 1
                              }
                           }
                        }
                     ],
                     "adjust_pure_negative": true,
                     "boost": 1
                  }
               },
               "version": true,
               "_source": {
                  "includes": [],
                  "excludes": []
               },
               "stored_fields": "*",
               "docvalue_fields": [
                  {
                     "field": "@timestamp",
                     "format": "date_time"
                  },
                  {
                     "field": "event.created",
                     "format": "date_time"
                  },
                  {
                     "field": "winlog.event_data.ClientCreationTime",
                     "format": "date_time"
                  }
               ],
               "script_fields": {},
               "sort": [
                  {
                     "@timestamp": {
                        "order": "desc",
                        "unmapped_type": "boolean"
                     }
                  }
               ],
               "aggregations": {
                  "2": {
                     "date_histogram": {
                        "field": "@timestamp",
                        "time_zone": "America/Chicago",
                        "fixed_interval": "30m",
                        "offset": 0,
                        "order": {
                           "_key": "asc"
                        },
                        "keyed": false,
                        "min_doc_count": 1
                     }
                  }
               },
               "highlight": {
                  "pre_tags": [
                     "@opensearch-dashboards-highlighted-field@"
                  ],
                  "post_tags": [
                     "@/opensearch-dashboards-highlighted-field@"
                  ],
                  "fragment_size": 2147483647,
                  "fields": {
                     "*": {}
                  }
               }
            }
         }
      }
   ],
   "triggers": [
      {
         "query_level_trigger": {
            "id": "jpSKaYgBRnO25hGOgKiN",
            "name": "User Failed logon",
            "severity": "1",
            "condition": {
               "script": {
                  "source": "ctx.results[0].hits.total.value > 5\n\n",
                  "lang": "painless"
               }
            },
            "actions": [
               {
                  "id": "j5SKaYgBRnO25hGOgKiN",
                  "name": "Failed logon",
                  "destination_id": "qR9mVYgBRnO25hGO-KYg",
                  "message_template": {
                     "source": "Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.\n- Period start: {{ctx.periodStart}}\n- Period end: {{ctx.periodEnd}}\n\n\n{{#ctx.results.0.hits.hits}}\n{{@timestamp}}\n> User: {{_source.winlog.event_data.TargetUserName}} \n> Event: {{_source.winlog.channel}} \n> Host: {{_source.host.name}}\n> Event ID: {{_source.event.code}}\n> Status: {{_source.event.outcome}}\n\n{{/ctx.results.0.hits.hits}}",
                     "lang": "mustache"
                  },
                  "throttle_enabled": false,
                  "subject_template": {
                     "source": "User failed to logon",
                     "lang": "mustache"
                  }
               }
            ]
         }
      }
   ],

Thank you for your reply.

I’m not sure how to use Security Analytics, and so I was trying to use Security Analytics alternative to alerting.

I will try make it in alerting.

If you don’t mind, please tell me your use case for Security Analytics and
also how do you decide which you use Alerting or Security Analytics

thank you

Hey @samkamiya

Oh, Understood. Im also testing out Security Analytics what I found is that there are catagories and rules attached to them which can be filtered out. You can create a new Create detection rule. then once the rule is created setup your Detector and add that custom rule. I havent done much with it yet. Testing something out

As for Alerting, I just followed the steps. In the example above Im using Windows Event ID’s for failed to logon “4625” along with the following.

event.original": { "query": "An account failed to logon",

There are service they may fail to logon but I was looking for users.

If I need it more percise I can add the following

 "winlog.event_data.LogonType": {
                            "query": "2",

This confirms it a user locally.

With Security Analytics I use the default rule/s for anything suspicious, malware, etc…

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.