I’m working on creating an alert to let my team know if a password or account spray attack is in progress. We have script we use, and this is what I see in the dashboard.
This is what I currently have set on the alert definition page but I’m getting the results I expect. I want it to say IF large amount of THIS error appears within a 5 minute period, then send alert email.
I think setup works fine if someone is attempting to brute force ONE account. But I’m really looking to add an additional event to detect mass account spray from one source as an OR definition.
you should create two alerts - one grouped by username to get if someone tries to break into a single account and a second one grouped by source to see if a single source tries to break in not looking for the username … you could add a third that is not grouped by any to see the number as above in general.
when you attach a notification to the event it will become an alert at all.
