Pipeline alert aggregated

dio99 · May 13, 2020, 1:01pm

Hi
im wondering if i can create a match in pipeline that match if a failed login event id occurs 5 times in 5 min AND one success login then create a match
i know u can do it in enterprise version but cant use it here…

dio99 · May 14, 2020, 9:36am

like this

(event_id:4625 AND keywords:“Audit Failure”)

Threshold = 6 matches within 5min)

AND

(event_id:4624 AND keywords:“Audit Success”)

Threshold = 1 match within 5min)

Alarm will be created when there will be at least 6 failed logon attempts and one successful logon within 5 min time span

jan · May 14, 2020, 2:09pm

that is only doable with the correlation engine … what is enterprise feature.

system · May 28, 2020, 2:09pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
AD failed log on stream Graylog Central (peer support)	5	2325	January 3, 2018
Stream how do correlation betwen 2 rules Graylog Central (peer support)	8	2170	June 29, 2018
Alert Notification Graylog Central (peer support) pipeline-rules , route-to-streampl	5	1629	October 8, 2019
Graylog 3.1 Correlation Alert unexpected operation Graylog Central (peer support)	6	643	December 16, 2019
Monitor Failed Log Ons EventID: 4625 Graylog Central (peer support)	2	492	March 20, 2020

Pipeline alert aggregated

Related Topics