If an unknown ip-address (intruder) is in the network and it tries to acces a file

if someone with an unknown ip in my network (intruder) tries to access a file i have, also in my network, what kind of condition do i set to get an alert? i’ve tried finding the event id for something like that and similar stuff but i’m not getting anywhere. maybe someone has this in their own network to prevent intruders?

Graylog alone can’t do this. You need some kind of file access auditing system, which can send logs to Graylog.

i got to mention that my problem is more finding out when an intruder is in the network… whether he accesses the file or not i have already ready… i use the field content condition, along with EventID 4663.

Utilise pipeline rules to analyse the messages and flag any that are suspicious (I create a new field on the message with an alert reference)
You could then create alert conditions based off that.

You could also try doing it just in the alert event definitions but, I wouldn’t recommend it

what exactly would I be analysing, respectively, what am I supposed to type in those pipelines to look for?

That is what I am paid to figure out and implement.

If this is something you want to start trying to implement, you will need to start doing some research around threat hunting.

Hm… do you also wonder why they’d state in their use cases, that we can see who/what accessed our files and network? https://www.graylog.org/post/top-use-cases-for-log-analysis

or am i mistaken and understood something wrong? thanks so far for your response, to both

Do I wonder why? No… It is a valid use case.

A use-case doesn’t imply that it is something you can necessarily do straight out of the box.
Although you can perform threat hunting with GL pretty much straight out of the box by utilising the search functionality and generating highly targeted queries for what you’re looking for however, I prefer to have that automated and have pipelines flag messages that may be of interest.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.